ssh-1.2.26.txt

`Date: 1 Nov 1998 20:43:19 -0000  
From: [email protected]  
  
01. ssh 1.2.26 vulnerability  
----------------------------  
  
As most of you are aware, the Rootshell site was compromised on October  
28th. In order to keep the integrity of our investigation we have been  
fairly closed-lipped about this incident until now. This has led to  
widespread rumors and speculation by netizens who have zero first hand  
knowledge about the break-in.  
  
Some people now believe that we had no evidence of an ssh break-in. SSH  
Communications Security Ltd. even went as far as saying they have analyzed  
the Rootshell logs, etc. Unless they have broken into our network this is  
not possible. We at Rootshell believe they are now simply in damage control  
mode and nothing else.  
  
Since the very beginning, Rootshell has been working very closely with the  
folks at CERT, and the members of law enforcement to track down the  
individuals responsible for the Rootshell break-in. As the ssh issue has  
been a very sensitive topic we have avoided making any statements until we  
were sure about anything one way or the other. The *ONLY* thing Rootshell  
has ever said in public about SSH until now has been "The paranoid MAY want  
to disable ssh 1.2.26."  
  
In order to show the type of evidence Rootshell has received at this point,  
below you will find a draft that IBM was intending to release on Monday  
about SSH. They appear to have jumped the gun slightly and do not have  
working exploit code, but have found possible buffer overflows in the ssh  
1.2.26 code. Rootshell has also received further reports of exploit code  
going around in various circles. SSH Communications Security Ltd. has  
evaluated this bulletin and now believes it is actually not a problem.  
  
Rootshell will continue its investigation of this matter as well as other  
security issues and will make this information public as soon as possible.   
I hope that this bulletin will at the very least put an end to the wild  
speculation that this was a hoax, or that we are just in the business of  
making wild accusations.  
  
Please see http://www.ssh.fi/sshprotocols2/rootshell.html for their  
"analysis" of events. It is sad that we had to learn of this URL from  
Slashdot.org instead of SSH directly. They appear to have some serious  
communications dificuilties. Both Rootshell and CERT were met with  
unanswered phones at SSH Communications Security Ltd. and Data Fellows when  
we attempted to research this matter. Perhaps after this incident they can  
work on correcting these issues.  
  
SSH is a trademark of SSH Communications Security Ltd. All rights reserved.  
  
[ end rant ]  
  
--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--  
---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---  
======= ============ ====== ======  
======= ============== ======= =======  
=== === ==== ====== ======  
=== =========== ======= =======  
=== =========== === ======= ===  
=== === ==== === ===== ===  
======= ============== ===== === =====  
======= ============ ===== = =====  
EMERGENCY RESPONSE SERVICE  
SECURITY VULNERABILITY ALERT  
30 October 1998 18:00 GMT Number: ERS-SVA-E01-1998:005.1  
===============================================================================  
VULNERABILITY SUMMARY  
VULNERABILITY: Buffer overflow condition in "sshd" logging facility  
PLATFORMS: Versions of SSH up to and including SSH 1.2.26. SSH 2.0.x  
is *not* believed to be vulnerable.  
SOLUTION: Follow the procedures described in Section IV, below  
THREAT: Local and remote users can obtain privileged access to the  
system.  
===============================================================================  
DETAILED INFORMATION  
I. Description  
SSH (Secure Shell) is software that allows users to log into other computers  
over a network, execute commands on remote systems, and move files from one  
host to another. It provides strong authentication and secure (encrypted)  
communications over insecure channels.  
SSH is produced by SSH Communications Security, Ltd., Finland (www.ssh.fi).  
SSH is distributed for non-commercial use from ftp://ftp.cs.hut.fi/pub/ssh;  
commercial licensing is handled by Data Fellows, Ltd. (www.datafellows.com).  
The IBM Global Security Analysis Laboratory has identified a buffer overflow  
vulnerability in the SSH server program, "sshd."  
The "log_msg" function, called by several parts of the server program to send  
information to the system log, copies user-supplied data into a local buffer  
without checking that the data will fit. Several other similar logging, debug,  
and error functions perform this operation as well. When a large amount of  
data is supplied, a buffer overrun condition will occur.   
II. Impact  
If a user is able to exploit this vulnerability to create a buffer overrun, it  
may be possible for the user to supply machine-language program instructions  
that will then be executed with the privileges of the user running the "sshd"  
program, usually the super-user.  
This vulnerability can be exploited by local and remote users.  
The person exploiting the vulnerability does not need to have an account on  
the machine running "sshd" to succeed.  
III. Platform-Specific Threats  
This vulnerability affects recent (and perhaps older) 1.2.x versions of the  
"sshd" server. The current 1.2.x version of the server is 1.2.26.  
It is believed that the 2.0.x versions of the "sshd" server do not contain  
this vulnerability. The current 2.0.x version of the server is 2.0.9.  
IV. Solutions  
IBM-ERS has provided the information it has developed about this vulnerability  
to SSH Communications Security, Ltd, and anticipates that a new versions of  
SSH 1.2.x that fixes this vulnerability will be available soon. When this new  
version becomes available, IBM-ERS urges all sites to upgrade their SSH  
servers to the new release as quickly as possible.  
In the meantime, however, IBM-ERS and the IBM GSAL have developed the three  
following specific actions that you can take to address this vulnerability.  
Option 1: Operate the "sshd" program with the "-q" option turned on. Note  
that this will disable the logging functions normally performed.  
This may be undesirable in some situations.  
Option 2: If possible, upgrade to version 2.0.x of SSH. This version supports  
a newer, more capable version of the SSH protocol and offers  
additional features.  
Option 3: Follow the procedure below to patch the SSH 1.2.26 source code to  
address this vulnerability in a manner similar to the way the SSH  
2.0.x source code addresses it. NOTE: This procedure should only be  
attempted by persons familiar with installing the SSH software from  
source code.  
1. Obtain the source code distributions for SSH 1.2.26 and SSH 2.0.9  
from ftp://ftp.cs.hut.fi/pub/ssh or Data Fellows, Ltd. Be sure  
to observe all licensing requirements.  
2. Copy the following files  
lib/sshutil/snprintf.h  
lib/sshutil/snprintf.c  
from the SSH 2.0.9 directory to the SSH 1.2.26 directory (put  
them at the top level, do not reproduce the subdirectories).  
3. Edit "Makefile.in" in the SSH 1.2.26 directory and add the word  
"snprintf.o" to the "COMMON_OBJS" and "SCP_OBJS" definitions.  
Also add the word "snprintf.h" to the "HEADERS" definition.  
4. Edit the files "log-server.c," "packet.c," and "scp.c" in the SSH  
1.2.26 directory and do the following:  
a. Add the line  
#include "snprintf.h"  
near the top of each file with the rest of the "#include"  
lines.  
b. Locate all occurrences of  
vsprintf(buf, fmt, args);  
in each file and replace them with  
vsnprintf(buf, sizeof(buf), fmt, args);  
There are six (6) occurrences in "log-server.c," two (2) in  
"packet.c," and one (1) in "scp.c".  
5. Edit "snprintf.h" and change the line  
#include "sshincludes.h"  
to read  
#include "includes.h"  
Also delete the two occurrences of the word "DLLEXPORT."  
6. Edit "snprintf.c" and change the line  
#include "sshincludes.h"  
to read  
#include "includes.h"  
Also replace the one occurrence of "ssh_xmalloc" with "xmalloc",  
and the two occurrences of "ssh_xfree" with "xfree".  
7. Read the instructions in the "INSTALL" file in the SSH 1.2.26  
directory to build and install the modifications made above.  
IBM-ERS and IBM GSAL have carefully examined the SSH 1.2.26 source code, and  
tested these steps on a production "sshd" server. No ill effects have been  
observed. However, because it is impossible to anticipate all possible  
environments in which SSH is used, the following disclaimer applies to the  
procedures above:  
THESE PROCEDURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING,  
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A  
PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT  
OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES.  
V. Acknowledgements  
IBM-ERS would like to thank Alan and Art at the IBM Global Security Analysis  
Laboratory for their work in identifying this problem.  
SSH and Secure Shell are trademarks or registered trademarks of SSH  
Communications Security Ltd.  
===============================================================================  
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based  
Internet security response service that includes computer security incident  
response and management, regular electronic verification of your Internet  
gateway(s), and security vulnerability alerts similar to this one that are  
tailored to your specific computing environment. By acting as an extension  
of your own internal security staff, IBM-ERS's team of Internet security  
experts helps you quickly detect and respond to attacks and exposures across  
your Internet connection(s).  
As a part of IBM's Business Recovery Services organization, the IBM Internet  
Emergency Response Service is a component of IBM's SecureWay(tm) line of  
security products and services. From hardware to software to consulting,  
SecureWay solutions can give you the assurance and expertise you need to  
protect your valuable business resources. To find out more about the IBM  
Internet Emergency Response Service, send an electronic mail message to  
[email protected], or call 1-800-742-2493 (Prompt 4).  
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.  
Visit the site for information about the service, copies of security alerts,  
team contact information, and other items.  
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for  
security vulnerability alerts and other distributed information. The IBM-ERS  
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.  
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.  
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams  
(FIRST), a global organization established to foster cooperation and response  
coordination among computer security teams worldwide.  
Copyright 1998 International Business Machines Corporation.  
The information in this document is provided as a service to customers of  
the IBM Emergency Response Service. Neither International Business Machines  
Corporation, nor any of its employees, makes any warranty, express or implied,  
or assumes any legal liability or responsibility for the accuracy, complete-  
ness, or usefulness of any information, apparatus, product, or process  
contained herein, or represents that its use would not infringe any privately  
owned rights. Reference herein to any specific commercial products, process,  
or service by trade name, trademark, manufacturer, or otherwise, does not  
necessarily constitute or imply its endorsement, recommendation or favoring  
by IBM or its subsidiaries. The views and opinions of authors expressed  
herein do not necessarily state or reflect those of IBM or its subsidiaries,  
and may not be used for advertising or product endorsement purposes.  
The material in this security alert may be reproduced and distributed,  
without permission, in whole or in part, by other security incident response  
teams (both commercial and non-commercial), provided the above copyright is  
kept intact and due credit is given to IBM-ERS.  
This security alert may be reproduced and distributed, without permission,  
in its entirety only, by any person provided such reproduction and/or  
distribution is performed for non-commercial purposes and with the intent of  
increasing the awareness of the Internet community.  
---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---  
--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--  
`