Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [cert] SSH Authentication Vulnerability

From: raoul () AKAMAI COM (Ignacio Kadel-Garcia)
Date: Thu, 11 May 2000 08:41:19 -0400

On Wed, 10 May 2000, John P. McNeely wrote:


Date: Wed, 10 May 2000 18:15:22 -0400
From: John P. McNeely <jmcneely () SSES NET>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: [cert] SSH Authentication Vulnerability

Sword & Shield Enterprise Security, Inc. - Security Advisory
www.sses.net, Copyright (c) 2000

Advisory:       Secure Shell Authentication Vulnerability
Release Date:   May 10, 2000
Application:    sshd
Severity:       High - A user (local or remote) can log into any account
                with a valid login shell.
Status:         Affected systems should install alternative version.
Archive:        The advisory sses-002-auth-vul.txt
                is available at ftp://ftp.sses.net/pub/security/advisories


GACK! This is scary.


DESCRIPTION
-----------
The vulnerable ssh distribution is patched with defective logic
related to PAM authentication. The offending code from the patch
file ssh-1.2.27-pam.patch is:

        +#ifdef HAVE_PAM
        +  {
        +     retval = origretval;
        +     pampasswd = xstrdup(password);
        +     if (retval == PAM_SUCCESS)
        +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
        +     if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
        +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
        +     xfree(pampasswd);
        +  }
        +#else /* HAVE_PAM */

Note the last 'if' statement - in essence whether the pam_authenticate()
call is successful or not, the pam_acct_mgmt() call is made overwriting
the contents of retval. Assuming the pam_acct_mgmt() call is
successful, and it tends to be, then the remaining patch code dealing
with PAM authentication opens a session with:


In plainer English, it should read and reads in other ssh SRPM distributions:

           +#ifdef HAVE_PAM
           +  {
           +     retval = origretval;
           +     pampasswd = xstrdup(password);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
           +     xfree(pampasswd);
           +  }
           +#else /* HAVE_PAM */

                                

This problem does not exist in the very nice Riggs distribution available
at:
        ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i_riggs.src.rpm
        ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_us_riggs.src.rpm

I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).

I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back
did it appear in SSH distributions for RedHat?

Nico Kadel-Garcia               Office:         (617) 250-3693
Senior Systems Engineer         CellPhone:      (617) 840-0199
                                Pager:          (877) 680-3843
                                Email:          raoul () akamai com
Previous By Date Next
Previous By Thread Next

Current thread: