Three problems in OpenSSH's ssh-keysign

[Charles Hannum <abuse () spamalicious com>]

[This is being posted to bugtraq in the interest of full disclosure.
Originally sent to markus () openbsd org.]


There are 3 problems we observed by inspection of OpenSSH's
ssh-keysign:

1) [Charles Hannum] Since no blinding is done on the RSA calculations,
   ssh-keysign is effectively a fairly efficient oracle for mounting a
   Kocher timing analysis attack on the host key(s).

   (Using OAEP padding -- per recent versions of PKCS1 -- would not
   only mitigate this better, but would also mitigate other RSA
   attacks.  Unfortunately, this would require a change in the
   protocol.)

2) [Bill Sommerfeld] There is a use-after-free bug; see:

        if (valid_request(pw, host, &key, data, dlen) < 0)
                fatal("not a valid request");
        xfree(data);
        xfree(host);
        ...
        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)

   (This has already been fixed in the main OpenSSH tree.)

3) [Charles Hannum] The protection of host keys is not very good; to
   wit:

        key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
        key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
                        
        seteuid(getuid());
        setuid(getuid()); 

   Although current BSD systems are safe (because they do not permit
   PTRACE_ATTACH, et al, on processes that were ever set-id), this may
   permit direct reading of the host keys by users on other systems.


Have a nice day.