Security Audit Notes - OpenSSH 6.8 - Advanced Information Security Corp

["Nicholas Lemonias." <lem.nikolas () googlemail com>]

-=[Advanced Information Security Corp]=-

 Author: Nicholas Lemonias
 Report Date: 2/4/2015
 Email: lem.nikolas (at) gmail (dot) com

 Introduction
 ==========
 During a source-code audit of the OpenSSH v6.8 (latest) release
 implementation for linux; conducted internally by the Advanced
 Information Security
 Group, instances of insecure function use were observed, which could
 possibly lead to some attacks.

 Software Overview
 ===============
 OpenSSH, also known as OpenBSD Secure Shell,
 is a suite of security-related network-level utilities based on the
SSH protocol,
 which help to secure network communications via the encryption of
network traffic
 over multiple authentication methods and by providing secure
tunneling capabilities.
 OpenSSH was designed as a free and open source alternative to the
proprietary SSH implementation developed
 by Tatu Ylönen and offered by SSH Communications Security.

 OpenSSH is a project of the OpenBSD team.


 PoC 1 - Code Snippet [CWE-401]
 ==============================
 (...openssh6.8\openssh-6.8\packet.c:1271)

 int
 ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 {
    struct session_state *state = ssh->state;
    int len, r, ms_remain, cont;
    fd_set *setp;
    char buf[8192];
    struct timeval timeout, start, *timeoutp = NULL;

    DBG(debug("packet_read()"));

    setp = (fd_set *)calloc(howmany(state->connection_in + 1,
        NFDBITS), sizeof(fd_mask));
    if (setp == NULL)
        return SSH_ERR_ALLOC_FAIL;

    /*
     * Since we are blocking, ensure that all written packets have
     * been sent.
     */
    if ((r = ssh_packet_write_wait(ssh)) != 0)
        return r;

    /* Stay in the loop until we have received a complete packet. */
    for (;;) {
        /* Try to read a packet from the buffer. */
        r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
        if (r != 0)
            break;
        if (!compat20 && (
            *typep == SSH_SMSG_SUCCESS
            || *typep == SSH_SMSG_FAILURE
            || *typep == SSH_CMSG_EOF
            || *typep == SSH_CMSG_EXIT_CONFIRMATION))
            if ((r = sshpkt_get_end(ssh)) != 0)
                break;
        /* If we got a packet, return it. */
        if (*typep != SSH_MSG_NONE)
            break;
        /*
         * Otherwise, wait for some data to arrive, add it to the
         * buffer, and try again.
         */
        memset(setp, 0, howmany(state->connection_in + 1,
            NFDBITS) * sizeof(fd_mask));
        FD_SET(state->connection_in, setp);


 Description: Memory leak caused by variable setp.


 PoC 2 - Code Snippet  [CWE-134]
 ================================
 (...openssh6.8\openssh-6.8\hmac.c .c:155)

if (memcmp(e, digest, elen)) {
        for (i = 0; i < elen; i++)
            printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]);
        printf("mismatch\n");
    } else
        printf("ok\n");
}

 Description: size_t is vulnerable to a format string.

 Appendices
 ===========
 Sincere Thanks to the OpenSSH team for their mutual efforts.


 References
 ==========

 [1] OpenBSD Group (2015) OpenSSH 6.8 COMMIT Messages,
 Available at: http://www.mindrot.org/openssh_snap/ChangeLog,
 Accessed: 4/2/2015.