Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID:     2002062801
Title:               OpenSSH kbd-interactive buffer overflow
Changed:             07/03/2002
Author:              research@globalintersec.com
Reference:           http://www.globalintersec.com/adv/openssh-2002062801.txt

Summary:

  OpenSSH, a popular server utility that provides encrypted connections 
  between hosts and is commonly used for administration and file transfer,
  contains a integer overflow, resulting in a heap overflow that could
  be exploited to execute arbitrary commands.

Impact:

   A local user may be able to execute arbitrary commands as the user which
   the OpenSSH daemon is running as prior to authentication.

Versions Tested To Be Vulnerable:

  OpenSSH versions prior to 3.4

Description:

  It is the current belief of many that exploiting the recently disclosed
  vulnerabilities in OpenSSH's challenge-response routines is reliant 
  upon a system's use of BSD's authentication mechanisms and therefore
  restricts the platforms on which this vulnerability may be exploited. 
  
  This is almost certainly due to various advisories posted to various 
  fora by unnamed security companies. 

  Although it is widely known that all systems running versions of OpenSSH 
  prior to 3.4 are affected by this vulnerability, many vendors have deemed 
  their platforms invulnerable to exploitation.
  
  In spite of this, our research has proven multiple platforms originally
  thought to be invulnerable to attack to be vulnerable.
  
  As reported by GOBBLES [1], systems running vulnerable binaries, built
  with --with-bsd-auth at compile time are vulnerable to attack via 
  an integer overflow in the input_userauth_info_response() function. 
  
  Conversely, under Linux and other platforms using a vulnerable version
  of OpenSSH compiled with --with-pam, the integer overflow lies in the
  function input_userauth_info_response_pam().
  
  In both cases, the final heap based buffer overflow is a result of the
  integer overflow of unsigned int nresp, calculated from packet_get_int(),
  the return value of packet_get_int being a client controlled integer. 
  

Scope for attack:

  - Because of the nature of the vulnerability, exploitation is possible before
    a user has authenticated with the remote host. This would potentially allow 
    an attacker to remotely execute arbitrary commands as the UID of the daemon 
    process, PRIOR TO AUTHENTICATION.

  - To exploit the vulnerability described in the "Proof of concept" section of
    this advisory, the sshd binary must have been compiled with PAM support.

 
Work Around:
 
  Global InterSec recommends the following settings be disabled within
  sshd's configuration. This is normally located at /etc/ssh/sshd_config 

  PAMAuthenticationViaKBDInt no
  KbdInteractiveAuthentication no

  However, we strongly recommend that all vulnerable binaries are upgraded
  as soon as possible. (See vendor solutions.) 

Credit:

  All information contained within this advisory was independently researched by
  Global InterSec's vulnerability team.
  
  The original PUBLIC disclosure of this vulnerability was made by Internet Security
  Systems [3].


Vendor Solutions:

  Since the original disclosure by ISS [3], vendors have released their own 
  advisories, with distribution specific fixes. A list of some of these 
  follows.

  Mandrake Secure Linux:
      http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-040-1.php

  SuSE Linux:
      http://www.suse.de/de/support/security/2002_024_openssh_txt.html

  EnGarde Secure Linux:
      http://www.linuxsecurity.com/advisories/other_advisory-2177.html

  Conectiva Linux:
      http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502

  Caldera Linux:
      ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt

  NetBSD:
      ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005.txt.asc

  Redhat Linux:
      http://rhn.redhat.com/errata/RHSA-2002-127.html

  Debian Linux:
      http://www.debian.org/security/2002/dsa-134



Exploitation / Proof of concept:

  The content from this section of the advisory is currently being re-written given
  some portions were misleading. We apologise for any inconvenience this may have
  caused.
 
References:

  [1] GOBBLES Security - http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz
  [2] Phrack Magazine - Once Upon a free() - http://www.phrack.com/show.php?p=57&a=9
  [3] ISS - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584

Legal:

   This advisory is the intellectual property of Global InterSec LLC but may be 
   freely distributed with the conditions that:

   a) No fee is charged
   b) Appropriate credit is given.



(c) Global InterSec LLC 2002