OpenSSH Security Advisory (adv.token)

2002-04-22T00:00:00
ID SECURITYVULNS:DOC:2824
Type securityvulns
Reporter Securityvulns
Modified 2002-04-22T00:00:00

Description

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default.

  1. Systems affected:

    All Versions of OpenSSH compiled with AFS/Kerberos support
    and ticket/token passing enabled contain a buffer overflow.
    
    Ticket/Token passing is disabled by default and available
    only in protocol version 1.
    
  2. Impact:

    Remote users may gain privileged access for OpenSSH < 2.9.9
    
    Local users may gain privileged access for OpenSSH < 3.3
    
    No privileged access is possible for OpenSSH with
    UsePrivsep enabled.
    
  3. Solution:

    Apply the following patch and replace radix.c with
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
    
  4. Credits:

    kurt@seifried.org for notifying the OpenSSH team.
    http://mantra.freeweb.hu/
    

Appendix:

Index: bufaux.c

RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - / - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). / + +u_short +buffer_get_short(Buffer buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char ) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ }

/ - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. / +void +buffer_put_short(Buffer buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer , BIGNUM ); void buffer_get_bignum2(Buffer , BIGNUM );

+u_short buffer_get_short(Buffer ); +void buffer_put_short(Buffer , u_short); + u_int buffer_get_int(Buffer ); void buffer_put_int(Buffer , u_int);