Bugtraq mailing list archives
Re: [cert] SSH Authentication Vulnerability
From: raoul () AKAMAI COM (Ignacio Kadel-Garcia)
Date: Thu, 11 May 2000 08:41:19 -0400
On Wed, 10 May 2000, John P. McNeely wrote:
Date: Wed, 10 May 2000 18:15:22 -0400 From: John P. McNeely <jmcneely () SSES NET> To: BUGTRAQ () SECURITYFOCUS COM Subject: [cert] SSH Authentication Vulnerability Sword & Shield Enterprise Security, Inc. - Security Advisory www.sses.net, Copyright (c) 2000 Advisory: Secure Shell Authentication Vulnerability Release Date: May 10, 2000 Application: sshd Severity: High - A user (local or remote) can log into any account with a valid login shell. Status: Affected systems should install alternative version. Archive: The advisory sses-002-auth-vul.txt is available at ftp://ftp.sses.net/pub/security/advisories
GACK! This is scary.
DESCRIPTION ----------- The vulnerable ssh distribution is patched with defective logic related to PAM authentication. The offending code from the patch file ssh-1.2.27-pam.patch is: +#ifdef HAVE_PAM + { + retval = origretval; + pampasswd = xstrdup(password); + if (retval == PAM_SUCCESS) + retval = pam_authenticate ((pam_handle_t *)pamh, 0); + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR) + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0); + xfree(pampasswd); + } +#else /* HAVE_PAM */ Note the last 'if' statement - in essence whether the pam_authenticate() call is successful or not, the pam_acct_mgmt() call is made overwriting the contents of retval. Assuming the pam_acct_mgmt() call is successful, and it tends to be, then the remaining patch code dealing with PAM authentication opens a session with:
In plainer English, it should read and reads in other ssh SRPM distributions: +#ifdef HAVE_PAM + { + retval = origretval; + pampasswd = xstrdup(password); + if (retval == PAM_SUCCESS) + retval = pam_authenticate ((pam_handle_t *)pamh, 0); + if (retval == PAM_SUCCESS) + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0); + xfree(pampasswd); + } +#else /* HAVE_PAM */ This problem does not exist in the very nice Riggs distribution available at: ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i_riggs.src.rpm ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_us_riggs.src.rpm I can recommend it: it's got a very useful patch for logging the tags from the incoming SSH keys for easier logging of who the midnight root user was on a shared system, and it's got a nice interactive session performance patch for X-windows and terminal sessions (involving TCPNODELAY settings). I'm very concerned about how and when this modified ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back did it appear in SSH distributions for RedHat? Nico Kadel-Garcia Office: (617) 250-3693 Senior Systems Engineer CellPhone: (617) 840-0199 Pager: (877) 680-3843 Email: raoul () akamai com
Current thread:
- HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability, (continued)
- HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability Ussr Labs (May 24)
- Re: RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 19)
- revised patches for kerberos vulnerability Tom Yu (May 19)
- Microsoft Security Bulletin (MS00-029) Microsoft Product Security (May 19)
- BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x BindView Security Advisory (May 19)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 17)
- KNapster Vulnerability Compromises User-readable Files Tom Daniels (May 10)
- Gnapster Vulnerability Compromises User-readable Files Jim Early (May 10)
- Possible symlink problems with Netscape 4.73 foo (May 10)
- SSH Authentication Vulnerability John P. McNeely (May 10)
- Re: [cert] SSH Authentication Vulnerability Ignacio Kadel-Garcia (May 11)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 10)
- issues with free Perl CGI's (Re: Black Watch Labs...) Peter W (May 10)
- Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Frank van Vliet (May 10)
- Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Todd C. Miller (May 10)
- NetStructure 7110 console backdoor Brian Oblivion (May 09)
- NetStructure 7180 remote backdoor vulnerability Brian Oblivion (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster FreeBSD Security Officer (May 09)
- Self-Replication Using Gnutella Seth McGann (May 09)
(Thread continues...)