Bugtraq mailing list archives
SSH Authentication Vulnerability
From: jmcneely () SSES NET (John P. McNeely)
Date: Wed, 10 May 2000 18:15:22 -0400
Sword & Shield Enterprise Security, Inc. - Security Advisory www.sses.net, Copyright (c) 2000 Advisory: Secure Shell Authentication Vulnerability Release Date: May 10, 2000 Application: sshd Severity: High - A user (local or remote) can log into any account with a valid login shell. Status: Affected systems should install alternative version. Archive: The advisory sses-002-auth-vul.txt is available at ftp://ftp.sses.net/pub/security/advisories SUMMARY ------- A vulnerable secure shell distribution is available from the popular Zedz Consultants FTP site (formally known as replay.com). The RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which contains faulty logic allowing users to essentially pass through the username/password authentication step and gain shell access. It should be stressed that the ssh distribution 1.2.27-7us.rpm and 1.2.27-7i.rpm available from the web site do not contain this vulnerability. The vulnerable distribution (1.2.27-8i.src.rpm) is located in the "incoming" directory at ftp://ftp.zedz.net/pub/ cryptoI/incoming (formerly pub/crypto/incoming). It is also possible that the distribution could have been obtained from the pub/crypto/redhat/unsorted directory. Due to the obscure location of the vulnerable distribution it is not known at this time how wide spread the impact of this vulnerability is. The vulnerable distribution has been removed from the site and should no longer be accessible. DESCRIPTION ----------- The vulnerable ssh distribution is patched with defective logic related to PAM authentication. The offending code from the patch file ssh-1.2.27-pam.patch is: +#ifdef HAVE_PAM + { + retval = origretval; + pampasswd = xstrdup(password); + if (retval == PAM_SUCCESS) + retval = pam_authenticate ((pam_handle_t *)pamh, 0); + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR) + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0); + xfree(pampasswd); + } +#else /* HAVE_PAM */ Note the last 'if' statement - in essence whether the pam_authenticate() call is successful or not, the pam_acct_mgmt() call is made overwriting the contents of retval. Assuming the pam_acct_mgmt() call is successful, and it tends to be, then the remaining patch code dealing with PAM authentication opens a session with: +#ifdef HAVE_PAM + { + if (retval == PAM_SUCCESS) + retval = pam_open_session ((pam_handle_t *)pamh, 0); + return (retval == PAM_SUCCESS); + } +#endif /* HAVE_PAM */ By running the patch command patch -p0 -b < ssh-1.2.27-pam.patch we get, patching file `ssh-1.2.27/acconfig.h' patching file `ssh-1.2.27/auth-passwd.c' patching file `ssh-1.2.27/config.h.in' patching file `ssh-1.2.27/configure.in' patching file `ssh-1.2.27/sshd.c' The faulty PAM authentication logic is then inserted into the auth_password() function in the auth-passwd.c file at lines 745-755 and 879-885. IMPACT ------ The impact of this bug can be quite severe. On systems where the /etc/ssh/sshd_config file contains 'PermitRootLogin=yes' the effect is that any remote or local user can obtain root access by specifying a root login and entering a non-null password. Example, if a system (pigpen) configured with the vulnerable ssh server package has a valid user account (joe) then the command: % ssh -l joe pigpen joe@pigpen's password: 123 <--- sshd prompts for password, enter '123'. ... <--- faulty authentication check performed [joe@pigpen]$ <--- user shell accessed Checking the syslogs also reveals signs of the problem: 1- May 8 13:12:50 pigpen sshd[13422]: connect from 10.10.10.10 2- May 8 13:12:50 pigpen sshd[13422]: log: Connection from 10.10.10.10 port 1209 3- May 8 13:12:52 pigpen PAM_pwdb[13422]: authentication failure; (uid=0) -> joe for ssh service 4- May 8 13:12:53 pigpen PAM_pwdb[13422]: (ssh) session opened for user joe by (uid=0) 5- May 8 13:12:53 pigpen sshd[13422]: log: Password authentication for joe accepted. Note the authentication failure recorded by PAM on line 3, but lines 4-5 show the session being opened. It is important to note a few things here: 1) Even if an account is password locked, if it contains a valid shell the account can be accessed. 2) Site specific user accounts are not necessary for searching out vulnerable systems when standard Linux distribution/package accounts like 'gdm', 'postgres', or 'mysql' will do. This vulnerable SSH RPM has been available since March 1, 2000. RESOLUTION ---------- De-install: If your ssh installation is vulnerable, you should remove the vulnerable version and install version 1.2.27-7us. Use OpenSSH: Another alternative to consider is switching over to openssh available from http://www.openssh.com. AFFECTED VERSIONS and SYSTEMS ----------------------------- RedHat Linux, RPM ssh-1.2.27-8i.src.rpm. ACKNOWLEDGEMENTS ---------------- The bug discovery, test, demonstration, vendor coordination, and advisory generation are the results of SSES, Inc. security engineers John McNeely and Dennis Edmonds. Thanks to Alex De Joode at Zedz Consultants for a quick response and removal of the vulnerable distribution. DISCLAIMER ---------- Although SSES, Inc. intends to provide accurate information, this advisory does not claim to be complete or usable for any purpose. NO WARRANTY ----------- This advisory is provided on an "as is" basis. SSES, Inc. makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. SSES, Inc. does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. The supplied advisory is not to be used for malicious purposes and should be used for informational purposes only.
Current thread:
- Remote xploit for MDBMS, (continued)
- Remote xploit for MDBMS |[TDP]| (May 24)
- HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability Ussr Labs (May 24)
- Re: RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 19)
- revised patches for kerberos vulnerability Tom Yu (May 19)
- Microsoft Security Bulletin (MS00-029) Microsoft Product Security (May 19)
- BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x BindView Security Advisory (May 19)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 17)
- KNapster Vulnerability Compromises User-readable Files Tom Daniels (May 10)
- Gnapster Vulnerability Compromises User-readable Files Jim Early (May 10)
- Possible symlink problems with Netscape 4.73 foo (May 10)
- SSH Authentication Vulnerability John P. McNeely (May 10)
- Re: [cert] SSH Authentication Vulnerability Ignacio Kadel-Garcia (May 11)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 10)
- issues with free Perl CGI's (Re: Black Watch Labs...) Peter W (May 10)
- Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Frank van Vliet (May 10)
- Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Todd C. Miller (May 10)
- NetStructure 7110 console backdoor Brian Oblivion (May 09)
- NetStructure 7180 remote backdoor vulnerability Brian Oblivion (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster FreeBSD Security Officer (May 09)
(Thread continues...)