Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[openssh-unix-announce] OpenSSH Security Advisory (adv.token)
.

  • Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.token)
  • From: provos at citi.umich.edu (Niels Provos)
  • Date: Thu May 22 12:10:12 2003
.
 
A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file.  Ticket and token passing
is not enabled by default.

1. Systems affected:

        All Versions of OpenSSH compiled with AFS/Kerberos support
        and ticket/token passing enabled contain a buffer overflow.

        Ticket/Token passing is disabled by default and available
        only in protocol version 1.

2. Impact:

        Remote users may gain privileged access for OpenSSH < 2.9.9

        Local users may gain privileged access for OpenSSH < 3.3

        No privileged access is possible for OpenSSH with
	UsePrivsep enabled.

3. Solution:

	Apply the following patch and replace radix.c with
	http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

4. Credits:

	[EMAIL PROTECTED] for notifying the OpenSSH team.
	http://mantra.freeweb.hu/

Appendix:

Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c	26 Mar 2002 15:23:40 -0000	1.24
+++ bufaux.c	19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
 	BN_bin2bn(bin, len, value);
 	xfree(bin);
 }
-
 /*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
  */
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+	u_char buf[2];
+	buffer_get(buffer, (char *) buf, 2);
+	return GET_16BIT(buf);
+}
+
 u_int
 buffer_get_int(Buffer *buffer)
 {
@@ -158,8 +166,16 @@
 }

 /*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
  */
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+	char buf[2];
+	PUT_16BIT(buf, value);
+	buffer_append(buffer, buf, 2);
+}
+
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h	18 Mar 2002 17:25:29 -0000	1.17
+++ bufaux.h	19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
 void	buffer_get_bignum(Buffer *, BIGNUM *);
 void	buffer_get_bignum2(Buffer *, BIGNUM *);

+u_short	buffer_get_short(Buffer *);
+void	buffer_put_short(Buffer *, u_short);
+
 u_int	buffer_get_int(Buffer *);
 void    buffer_put_int(Buffer *, u_int);
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.