Remote Root Exploit In lsh

skookum writes "After last week's OpenSSH patch-fest, a lot of people suggested GNU lsh as a replacement. Unfortunately, it seems that the lsh team has recently discovered a heap overflow bug of their own that can lead to compromise. An exploit was posted to BugTraq two days ago. Happy patching."

The standard conclusion

[Overly+Critical+Guy]

Nothing is 100% secure, nothing is flawless, all operating systems are imperfect pieces of junk we're lucky to have running in the first place.

I have to laugh

[kakos]

All the people that were saying that the lsh code just 'looked' better than the OpenSSH code, a word of advice: looks don't mean jack or shit.

I don't know much about the development process of lsh, but I'm betting it doesn't do any security audits like OpenSSH does.

A replacement for C?

[guacamole]

Does there exist a good replacement for C? Obviously, things aren't getting any better even though most programmers are aware of and try to avoid various types of typical C problems like buffer overflows, "off by one" errors, "double free" errors, fmt string vulnerabilities, etc. This language should be reserved for low level programming tasks like OS and compiler development only. For other tasks we need an efficient, portable language with automatic memory management, easy string handling, and object oriented facilities. For efficiency reasons, I think that Java or scripting languages like Pythnon are not a good replacement for C. What other alternatives are out there?

Re:A replacement for C?

[cduffy]

A good replacement for C, eh? How 'bout C? Or, say, C?

Honestly, though: For low-level programming, there *is* no good replacement for C, for a simple reason: the same power that makes it dangerous is also the power that makes it useful. For high-level programming, there are lots of good replacements -- and you just mentioned, and wrote off, two of the best of them.

Java is getting better (witness the presence of the NIO API in 1.4), and I've got strong hopes for C# and its kin -- but part of what makes C# so useful is its simple API for access to C libraries, something that Java makes much harder. That said, for almost all of the high-level programming I do, I use Python (except at work, where I don't always get to pick; in the cases where I don't have the choice, I write Java).

Sure, Python and Java aren't suitable for low-level work -- but that's what C is good for. And since calling from Python down to C is simple, writing optimized versions of performance-sensitive routines is easy, in the rare event that it actually needs to be done (which has, in my five or so years of writing Python, happened all of once, when I needed some efficient drawing routines which were most readily available from a C library without preexisting python bindings).

Compiling Java to native code with GCJ also decreases the startup-time and runtime performance penalty without sacrificing type-safety -- and works for applications using an increasingly large subset of the available APIs.

Scheme is another language that many folks are too quick to write off. Not only does the language have the expected type-safety goodness -- but compiled scheme can be *very* fast. (On the down side, the lack of a useful standard runtime library is very disappointing).

So, yes, for high-level stuff, there are lots of alternatives... but what are you going to write your Python interpreter or low-level libraries in? For some jobs, there's still no good replacement for C. (Further, I'm not by any means convinced that low-level work *should* be done in an OO language... but that's a different conversation).

Re:After 20+ years of buffer overflow exploits...

[2Bits]

That was something on my mind, when the problem was announced for openssh.

One thing we could do would be to "deprecate" funtions/modules that are known to be insecure, a la Java, and phase in the more secure ones. Like those old string manipulation funtions, if we can't make them secure and have already introduced something better, why not phasing them out?

And make the compiler flag it when it finds any deprecated functions.

Introduce this phase-in period over 2 to 3 years, that should be enough time for everyone to update their software, if that software is still maintained. And it's not maintained anymore, you prolly should be looking for something new anyways, unless your machine is not connected to the network, and you do not (absolutely not) introduce any new component to the system, or unless if you don't give a damn that the machine is owned.

If we are conservative, maybe introduce the phase in/out period longer, like 5 years or so.

I don't really give a darn about maintaining backward compatibility at all cost. Backward compatibility is good, but not at all cost. Software is an evolving thing. I code for a living, it sure is a pain, but sometimes, I just feel it's necessary to cut the bond and move to the next level.

Re:oh, right

[jonabbey]

The number of users of lsh today is immaterial to the question of justification for the lsh team's efforts, really. Ssh is critical stuff to have.. we have alternatives in mail transport servers, ftp servers and clients, web servers, programming languages.. why in the world not for free ssh implementations?

C can be used with appropriate measures

[Serious+Simon]

C doesn't impose measures against buffer overflows, but that doesn't mean it is prohibitively difficult to implement them.

You can easily find information on how to avoid buffer overflows, such as in this article.

However, the developers in the lsh project (for example) do not appear to have given this subject much thought. In the lsh manual, the chapter on Threats silently assumes the software works as designed. It does not mention protection against exploits such as buffer overflows.

And the coding standards outlined in the lsh hacking guide are targeted at avoiding breakage by the programmers, not by outside attackers.

Projects developing exploit-sensitive software should implement proper measures to avoid buffer overflows. As long as this is done, C may still be the appropriate language for such projects.

Complain all you want about OpenSSH

It is interesting to see the types of holes that have been found in OpenSSH to date - these are *far* beyond typical buffer overrun problems that some other software projects suffer. Because of its popularity, it has become an attractive target and thus something of proving ground for new attack methods - int overflows, malloc corruption / free() exploits. OpenSSH is getting the bugs slowly beaten out of it.

Re:Telnet

[Spy+Hunter]

Time and time again, it has been proven that software written in C will be insecure. If you don't take extraordinary precautions which are far too inconvenient for most programmers to accept, you *will* have security holes in a network service written in C. And if you do take those precautions, they will interfere with the goal of providing a feature-rich, modern, up-to-date piece of software. Why oh why hasn't there been a move toward writing network services in languages which make most common kinds of security holes impossible? A SSH server written in Java will have zero buffer overflows. Nada. Zilch. It won't have any double-free bugs, or stack-smashing attacks of any kind. That way, developers can focus on fixing the logic bugs and implementing new features.

It's very easy to understand. If you write your server in a language that prevents several common sources of root exploits, then the number of root exploits present in your code will be dramatically reduced. I would definitely be willing to put up with a server that was twice as slow if it had no possibility of buffer overflows, ever.