Home / vulnerabilitiesPDF  

OpenSSH 6.8 Insecure Functions

Posted on 04 April 2015
Source : packetstormsecurity.org Link

 

-=[Advanced Information Security Corp]=-

Author: Nicholas Lemonias
Report Date: 2/4/2015
Email: lem.nikolas (at) gmail (dot) com

Introduction
==========
During a source-code audit of the OpenSSH v6.8 (latest) release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to some attacks.

Software Overview
===============
OpenSSH, also known as OpenBSD Secure Shell,
is a suite of security-related network-level utilities based on the
SSH protocol,
which help to secure network communications via the encryption of
network traffic
over multiple authentication methods and by providing secure
tunneling capabilities.
OpenSSH was designed as a free and open source alternative to the
proprietary SSH implementation developed
by Tatu Ylönen and offered by SSH Communications Security.

OpenSSH is a project of the OpenBSD team.

PoC 1 - Code Snippet [CWE-401]
==============================
(...openssh6.8openssh-6.8packet.c:1271)

int
ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
{
struct session_state *state = ssh->state;
int len, r, ms_remain, cont;
fd_set *setp;
char buf[8192];
struct timeval timeout, start, *timeoutp = NULL;

DBG(debug("packet_read()"));

setp = (fd_set *)calloc(howmany(state->connection_in + 1,
NFDBITS), sizeof(fd_mask));
if (setp == NULL)
return SSH_ERR_ALLOC_FAIL;

/*
* Since we are blocking, ensure that all written packets have
* been sent.
*/
if ((r = ssh_packet_write_wait(ssh)) != 0)
return r;

/* Stay in the loop until we have received a complete packet. */
for (;;) {
/* Try to read a packet from the buffer. */
r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
if (r != 0)
break;
if (!compat20 && (
*typep == SSH_SMSG_SUCCESS
|| *typep == SSH_SMSG_FAILURE
|| *typep == SSH_CMSG_EOF
|| *typep == SSH_CMSG_EXIT_CONFIRMATION))
if ((r = sshpkt_get_end(ssh)) != 0)
break;
/* If we got a packet, return it. */
if (*typep != SSH_MSG_NONE)
break;
/*
* Otherwise, wait for some data to arrive, add it to the
* buffer, and try again.
*/
memset(setp, 0, howmany(state->connection_in + 1,
NFDBITS) * sizeof(fd_mask));
FD_SET(state->connection_in, setp);

Description: Memory leak caused by variable setp.

PoC 2 - Code Snippet [CWE-134]
================================
(...openssh6.8openssh-6.8hmac.c .c:155)

if (memcmp(e, digest, elen)) {
for (i = 0; i < elen; i++)
printf("[%zd] %2.2x %2.2x
", i, e[i], digest[i]);
printf("mismatch
");
} else
printf("ok
");
}

Description: size_t is vulnerable to a format string.

Appendices
===========
Sincere Thanks to the OpenSSH team for their mutual efforts.

References
==========

[1] OpenBSD Group (2015) OpenSSH 6.8 COMMIT Messages,
Available at: http://www.mindrot.org/openssh_snap/ChangeLog,
Accessed: 4/2/2015.

 

TOP