freebsd security - Sep 2003 - OpenSSH heads-up

OK, an official OpenSSH advisory was released, see here:
<URL:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
>

The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
applied to the security branches as well today.  Attached are patches:

   buffer46.patch -- For FreeBSD 4.6-RELEASE and later
   buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier

Currently, I don't believe that this bug is actually exploitable for
code execution on FreeBSD, but I reserve the right to be wrong :-)

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
-------------- next part --------------
Index: crypto/openssh/buffer.c
==================================================================RCS file:
/home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.3
diff -c -c -r1.1.1.1.2.3 buffer.c
*** crypto/openssh/buffer.c	28 Sep 2001 01:33:33 -0000	1.1.1.1.2.3
--- crypto/openssh/buffer.c	16 Sep 2003 13:19:26 -0000
***************
*** 69,74 ****
--- 69,76 ----
  void
  buffer_append_space(Buffer *buffer, char **datap, u_int len)
  {
+ 	u_int	newlen;
+ 
  	/* If the buffer is empty, start using it from the beginning. */
  	if (buffer->offset == buffer->end) {
  		buffer->offset = 0;
***************
*** 93,100 ****
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	buffer->alloc += len + 32768;
! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  	goto restart;
  }
  
--- 95,106 ----
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	newlen = buffer->alloc + len + 32768;
! 	if (newlen > 0xa00000)
! 		fatal("buffer_append_space: alloc %u not supported",
! 		    newlen);
! 	buffer->buf = xrealloc(buffer->buf, newlen);
! 	buffer->alloc = newlen;
  	goto restart;
  }
  
-------------- next part --------------
Index: crypto/openssh/buffer.c
==================================================================RCS file:
/home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.4
diff -c -c -r1.1.1.1.2.4 buffer.c
*** crypto/openssh/buffer.c	3 Jul 2002 22:11:41 -0000	1.1.1.1.2.4
--- crypto/openssh/buffer.c	16 Sep 2003 13:10:22 -0000
***************
*** 69,74 ****
--- 69,75 ----
  void *
  buffer_append_space(Buffer *buffer, u_int len)
  {
+ 	u_int newlen;
  	void *p;
  
  	if (len > 0x100000)
***************
*** 98,108 ****
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	buffer->alloc += len + 32768;
! 	if (buffer->alloc > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    buffer->alloc);
! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  	goto restart;
  	/* NOTREACHED */
  }
--- 99,111 ----
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	
! 	newlen = buffer->alloc + len + 32768;
! 	if (newlen > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    newlen);
! 	buffer->buf = xrealloc(buffer->buf, newlen);
! 	buffer->alloc = newlen;
  	goto restart;
  	/* NOTREACHED */
  }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030916/206d2d9d/attachment.bin

Is this advisory available anywhere else?  I'm continually getting
server timeout when trying to load this URL.  Meanwhile www.openssh.org
doesn't seem to have any mention of the advisory.  [?]

-Mitch

On Tue, 16 Sep 2003, Jacques A. Vidrine wrote:
> OK, an official OpenSSH advisory was released, see here:
> <URL:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
>
>
> The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
> applied to the security branches as well today.  Attached are patches:
>
>    buffer46.patch -- For FreeBSD 4.6-RELEASE and later
>    buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
>
> Currently, I don't believe that this bug is actually exploitable for
> code execution on FreeBSD, but I reserve the right to be wrong :-)
>
> Cheers,
> --
> Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
> nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

On Tue, Sep 16, 2003 at 09:59:18AM -0500, Marius Strom
wrote:
> Jacques,
> Mind posting to -security which parts of the world need to be recompiled
> for this patch to take effect?
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

For later versions of FreeBSD, you really only need rebuild libssh,
but the above should be safe on any version.

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

Hi, what is the proper building procedure ?  If there is no /usr/obj

cd /usr/src/secure/
make obj
make depend
make
make install

         ---Mike

At 09:43 AM 16/09/2003, Jacques A. Vidrine wrote:
>OK, an official OpenSSH advisory was released, see here:
><URL: 
>http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
> >
>
>The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
>applied to the security branches as well today.  Attached are patches:
>
>    buffer46.patch -- For FreeBSD 4.6-RELEASE and later
>    buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
>
>Currently, I don't believe that this bug is actually exploitable for
>code execution on FreeBSD, but I reserve the right to be wrong :-)
>
>Cheers,
>--
>Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
>nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
>
>

On Tue, Sep 16, 2003 at 06:05:43PM +0200, Udo Schweigert
wrote:
> On Tue, Sep 16, 2003 at 08:43:47 -0500, Jacques A. Vidrine wrote:
> > OK, an official OpenSSH advisory was released, see here:
> > <URL:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
>
> > 
> > The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
> > applied to the security branches as well today.  Attached are patches:
> > 
> >    buffer46.patch -- For FreeBSD 4.6-RELEASE and later
> >    buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
> > 
> 
> And what about the port /usr/ports/security/openssh-portable? It should -
at
> least - be fixed for the 4.9-RELEASE.
Ports fixed about 3 hours 27 minutes ago :-)

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

At 07:43 AM 9/16/2003, Jacques A. Vidrine wrote:
  
>OK, an official OpenSSH advisory was released, see here:
><URL:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>
Interesting. During the past 48 hours, we've been probed several times by
hosts that connected to each of our servers on Port 22 and then disconnected
without authenticating. (They were probably just looking for the greeting.)
For example:

Sep 14 11:18:54 www sshd[16658]: fatal: Timeout before authentication for
62.107.50.87.

The source of the probes appears to be in Denmark.

Could it be that some party or parties knew about this before the announcement
and is probing for hosts to exploit?

--Brett Glass

On Tue, Sep 16, 2003 at 12:41:14PM -0600, Brett Glass
wrote:
> Could it be that some party or parties knew about this before the
> announcement and is probing for hosts to exploit?
There have been rumours of an ssh2 exploit for over a week.  The
first concrete indication that I received that there was a bug was an
OpenBSD commit message last night.

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

tburress@sjca.edu wrote
>On Tue, 16 Sep 2003, Devon H. O'Dell wrote:
>
>  
>
>>Using buffer46.patch you provided in the earlier email here (haven't
>>tried the SA) I was unable to patch a 5.1-REL system -- both hunks
>>failed. I think there were a couple extra comments in the header, but
>>I'm not sure; I didn't look too hard. I just edited it by hand.
>>    
>>
>
>I got it to work on 5.1-REL using buffer46.patch; I used the patch as it
>came from the email above, and everything went smoothly.
>  
>
Ah well. Unless anybody's terribly worried that I've got some sort of 
horrible trojan (you know, one of those non-existant ones that turns a 
typecast into a rootshell), I think I'm okay. ;).

--Devon

On Tue, Sep 16, 2003 at 08:43:47 -0500, Jacques A. Vidrine
wrote:
> OK, an official OpenSSH advisory was released, see here:
> <URL:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
>
> 
> The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
> applied to the security branches as well today.  Attached are patches:
> 
>    buffer46.patch -- For FreeBSD 4.6-RELEASE and later
>    buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
> 
And what about the port /usr/ports/security/openssh-portable? It should - at
least - be fixed for the 4.9-RELEASE.

Best regards

--
Udo Schweigert, Siemens AG   | Voice      : +49 89 636 42170
CT IC CERT, Siemens CERT     | Fax        : +49 89 636 41166
D-81730 Muenchen / Germany   | email      : udo.schweigert@siemens.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 16 Sep 2003 08:43:47 -0500 "Jacques A. Vidrine"
<nectar@FreeBSD.org>
wrote:
> OK, an official OpenSSH advisory was released, see here:
> <URL:
>
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
> >
	
	So what this basically does is: not incrementing buffer->alloc, but using a
new
integer variable instead, which we compare to 0xa00000. How does this help ?
I'm
not an expert in off-by-one vulnerabilities. It'd be nice if someone
enlightened
me a little bit.
> 
> The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
> applied to the security branches as well today.  Attached are patches:
	I noticed the patch being commited to the openssh ports. Is it going to be
merged in the source tree as well ? I took the liberty of modifying buffer.c
myself, like Jacques' patch did.
> 
>    buffer46.patch -- For FreeBSD 4.6-RELEASE and later
>    buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
> 
> Currently, I don't believe that this bug is actually exploitable for
> code execution on FreeBSD, but I reserve the right to be wrong :-)
> 
> Cheers,
> -- 
> Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
> nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
> 

- ------
Vlad Galu
Senior IP Engineer
Romania Data Systems NOC in Bucharest
Phone:	+40 21 30 10 850
Web:	http://www.rdsnet.ro
PGP:	http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x53ABCE97
- -----------------------------------------------------------------------
Privileged/Confidential  Information may  be contained in this message.
If you are not the  addressee indicated in this message (or responsible
for  delivery of the  message to such a  person), you  may not  copy or
deliver this message to anyone. In such a case, you should destroy this
message and kindly notify the sender by reply e-mail.
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/Zx/TP5WtpVOrzpcRAkZKAJ4i0nMg+SjVPSo7Kzw2qzHpYk/IhQCdHnmA
7MT6DO9f+vmEpTwWoz3A76w=zwK5
-----END PGP SIGNATURE-----