Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31881
HistoryApr 07, 2015 - 12:00 a.m.

Security Audit Notes - OpenSSH 6.8 - Advanced Information Security Corp

2015-04-0700:00:00
vulners.com
11
JSON

-=[Advanced Information Security Corp]=-

Author: Nicholas Lemonias
Report Date: 2/4/2015
Email: lem.nikolas (at) gmail (dot) com

Introduction

During a source-code audit of the OpenSSH v6.8 (latest) release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to some attacks.

Software Overview

OpenSSH, also known as OpenBSD Secure Shell,
is a suite of security-related network-level utilities based on the
SSH protocol,
which help to secure network communications via the encryption of
network traffic
over multiple authentication methods and by providing secure
tunneling capabilities.
OpenSSH was designed as a free and open source alternative to the
proprietary SSH implementation developed
by Tatu Ylonen and offered by SSH Communications Security.

OpenSSH is a project of the OpenBSD team.

PoC 1 - Code Snippet [CWE-401]

(…openssh6.8\openssh-6.8\packet.c:1271)

int
ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
{
struct session_state *state = ssh->state;
int len, r, ms_remain, cont;
fd_set *setp;
char buf[8192];
struct timeval timeout, start, *timeoutp = NULL;

DBG(debug("packet_read()"));

setp = (fd_set *)calloc(howmany(state->connection_in + 1,
    NFDBITS), sizeof(fd_mask));
if (setp == NULL)
    return SSH_ERR_ALLOC_FAIL;

/*
 * Since we are blocking, ensure that all written packets have
 * been sent.
 */
if ((r = ssh_packet_write_wait(ssh)) != 0)
    return r;

/* Stay in the loop until we have received a complete packet. */
for (;;) {
    /* Try to read a packet from the buffer. */
    r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
    if (r != 0)
        break;
    if (!compat20 && (
        *typep == SSH_SMSG_SUCCESS
        || *typep == SSH_SMSG_FAILURE
        || *typep == SSH_CMSG_EOF
        || *typep == SSH_CMSG_EXIT_CONFIRMATION))
        if ((r = sshpkt_get_end(ssh)) != 0)
            break;
    /* If we got a packet, return it. */
    if (*typep != SSH_MSG_NONE)
        break;
    /*
     * Otherwise, wait for some data to arrive, add it to the
     * buffer, and try again.
     */
    memset(setp, 0, howmany(state->connection_in + 1,
        NFDBITS) * sizeof(fd_mask));
    FD_SET(state->connection_in, setp);

Description: Memory leak caused by variable setp.

PoC 2 - Code Snippet [CWE-134]

(…openssh6.8\openssh-6.8\hmac.c .c:155)

if (memcmp(e, digest, elen)) {
for (i = 0; i < elen; i++)
printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]);
printf("mismatch\n");
} else
printf("ok\n");
}

Description: size_t is vulnerable to a format string.

Appendices

Sincere Thanks to the OpenSSH team for their mutual efforts.

References

[1] OpenBSD Group (2015) OpenSSH 6.8 COMMIT Messages,
Available at: http://www.mindrot.org/openssh_snap/ChangeLog,
Accessed: 4/2/2015.

JSON