[14895] in bugtraq
Re: [cert] SSH Authentication Vulnerability
daemon@ATHENA.MIT.EDU (Ignacio Kadel-Garcia)
Mon May 15 04:12:27 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.04.10005110831180.13595-100000@crabcake.kendall.akamai.com>
Date: Thu, 11 May 2000 08:41:19 -0400
Reply-To: Ignacio Kadel-Garcia <raoul@AKAMAI.COM>
From: Ignacio Kadel-Garcia <raoul@AKAMAI.COM>
X-To: "John P. McNeely" <jmcneely@SSES.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.1.20000510180858.03849420@mail.sses.net>
On Wed, 10 May 2000, John P. McNeely wrote:
> Date: Wed, 10 May 2000 18:15:22 -0400
> From: John P. McNeely <jmcneely@SSES.NET>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: [cert] SSH Authentication Vulnerability
>
> Sword & Shield Enterprise Security, Inc. - Security Advisory
> www.sses.net, Copyright (c) 2000
>
> Advisory: Secure Shell Authentication Vulnerability
> Release Date: May 10, 2000
> Application: sshd
> Severity: High - A user (local or remote) can log into any account
> with a valid login shell.
> Status: Affected systems should install alternative version.
> Archive: The advisory sses-002-auth-vul.txt
> is available at ftp://ftp.sses.net/pub/security/advisories
GACK! This is scary.
> DESCRIPTION
> -----------
> The vulnerable ssh distribution is patched with defective logic
> related to PAM authentication. The offending code from the patch
> file ssh-1.2.27-pam.patch is:
>
> +#ifdef HAVE_PAM
> + {
> + retval = origretval;
> + pampasswd = xstrdup(password);
> + if (retval == PAM_SUCCESS)
> + retval = pam_authenticate ((pam_handle_t *)pamh, 0);
> + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
> + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
> + xfree(pampasswd);
> + }
> +#else /* HAVE_PAM */
>
> Note the last 'if' statement - in essence whether the pam_authenticate()
> call is successful or not, the pam_acct_mgmt() call is made overwriting
> the contents of retval. Assuming the pam_acct_mgmt() call is
> successful, and it tends to be, then the remaining patch code dealing
> with PAM authentication opens a session with:
In plainer English, it should read and reads in other ssh SRPM distributions:
+#ifdef HAVE_PAM
+ {
+ retval = origretval;
+ pampasswd = xstrdup(password);
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+ xfree(pampasswd);
+ }
+#else /* HAVE_PAM */
This problem does not exist in the very nice Riggs distribution available
at:
ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i_riggs.src.rpm
ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_us_riggs.src.rpm
I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).
I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back
did it appear in SSH distributions for RedHat?
Nico Kadel-Garcia Office: (617) 250-3693
Senior Systems Engineer CellPhone: (617) 840-0199
Pager: (877) 680-3843
Email: raoul@akamai.com
