lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 2 Apr 2015 15:03:44 +0100
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com
Cc: cve-assign@...re.org
Subject: Security Audit Notes - OpenSSH 6.8 - Advanced Information Security Corp

-=[Advanced Information Security Corp]=-

 Author: Nicholas Lemonias
 Report Date: 2/4/2015
 Email: lem.nikolas (at) gmail (dot) com

 Introduction
 ==========
 During a source-code audit of the OpenSSH v6.8 (latest) release
 implementation for linux; conducted internally by the Advanced
 Information Security
 Group, instances of insecure function use were observed, which could
 possibly lead to some attacks.

 Software Overview
 ===============
 OpenSSH, also known as OpenBSD Secure Shell,
 is a suite of security-related network-level utilities based on the
SSH protocol,
 which help to secure network communications via the encryption of
network traffic
 over multiple authentication methods and by providing secure
tunneling capabilities.
 OpenSSH was designed as a free and open source alternative to the
proprietary SSH implementation developed
 by Tatu Ylönen and offered by SSH Communications Security.

 OpenSSH is a project of the OpenBSD team.


 PoC 1 - Code Snippet [CWE-401]
 ==============================
 (...openssh6.8\openssh-6.8\packet.c:1271)

 int
 ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 {
    struct session_state *state = ssh->state;
    int len, r, ms_remain, cont;
    fd_set *setp;
    char buf[8192];
    struct timeval timeout, start, *timeoutp = NULL;

    DBG(debug("packet_read()"));

    setp = (fd_set *)calloc(howmany(state->connection_in + 1,
        NFDBITS), sizeof(fd_mask));
    if (setp == NULL)
        return SSH_ERR_ALLOC_FAIL;

    /*
     * Since we are blocking, ensure that all written packets have
     * been sent.
     */
    if ((r = ssh_packet_write_wait(ssh)) != 0)
        return r;

    /* Stay in the loop until we have received a complete packet. */
    for (;;) {
        /* Try to read a packet from the buffer. */
        r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
        if (r != 0)
            break;
        if (!compat20 && (
            *typep == SSH_SMSG_SUCCESS
            || *typep == SSH_SMSG_FAILURE
            || *typep == SSH_CMSG_EOF
            || *typep == SSH_CMSG_EXIT_CONFIRMATION))
            if ((r = sshpkt_get_end(ssh)) != 0)
                break;
        /* If we got a packet, return it. */
        if (*typep != SSH_MSG_NONE)
            break;
        /*
         * Otherwise, wait for some data to arrive, add it to the
         * buffer, and try again.
         */
        memset(setp, 0, howmany(state->connection_in + 1,
            NFDBITS) * sizeof(fd_mask));
        FD_SET(state->connection_in, setp);


 Description: Memory leak caused by variable setp.


 PoC 2 - Code Snippet  [CWE-134]
 ================================
 (...openssh6.8\openssh-6.8\hmac.c .c:155)

if (memcmp(e, digest, elen)) {
        for (i = 0; i < elen; i++)
            printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]);
        printf("mismatch\n");
    } else
        printf("ok\n");
}

 Description: size_t is vulnerable to a format string.

 Appendices
 ===========
 Sincere Thanks to the OpenSSH team for their mutual efforts.


 References
 ==========

 [1] OpenBSD Group (2015) OpenSSH 6.8 COMMIT Messages,
 Available at: http://www.mindrot.org/openssh_snap/ChangeLog,
 Accessed: 4/2/2015.

Powered by blists - more mailing lists