Revised OpenSSH Security Advisory (adv.token)

2002-04-26 Thread Markus Friedl 

This is the 2nd revision of the Advisory.

Buffer overflow in OpenSSH's sshd if AFS has been configured on the
system or if KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file.  Ticket and token passing is not enabled
by default.

1. Systems affected:

All Versions of OpenSSH with AFS/Kerberos token passing
compiled in and enabled (either in the system or in
sshd_config) contain a buffer overflow.

Token passing is disabled by default and only available in
protocol version 1.

2. Impact:

Remote users can get privileged access for OpenSSH < 2.9.9

Local users can get privileged access for OpenSSH < 3.2.1

No privileged access is possible for OpenSSH with
UsePrivilegeSeparation enabled.

3. Solution:

Apply the matching patch:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch

4. Credits:

Marcell Fodor <[EMAIL PROTECTED]>

EOF

OpenSSH Security Advisory (adv.token)

2002-04-22 Thread Niels Provos 

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file.  Ticket and token passing
is not enabled by default.

1. Systems affected:

All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.

Ticket/Token passing is disabled by default and available
only in protocol version 1.

2. Impact:

Remote users may gain privileged access for OpenSSH < 2.9.9

Local users may gain privileged access for OpenSSH < 3.3

No privileged access is possible for OpenSSH with
UsePrivsep enabled.

3. Solution:

Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

4. Credits:

[EMAIL PROTECTED] for notifying the OpenSSH team.
http://mantra.freeweb.hu/

Appendix:

Index: bufaux.c
===
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c26 Mar 2002 15:23:40 -  1.24
+++ bufaux.c19 Apr 2002 12:55:29 -
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
 }
-
 /*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
  */
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+   u_char buf[2];
+   buffer_get(buffer, (char *) buf, 2);
+   return GET_16BIT(buf);
+}
+
 u_int
 buffer_get_int(Buffer *buffer)
 {
@@ -158,8 +166,16 @@
 }

 /*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
  */
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+   char buf[2];
+   PUT_16BIT(buf, value);
+   buffer_append(buffer, buf, 2);
+}
+
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
Index: bufaux.h
===
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h18 Mar 2002 17:25:29 -  1.17
+++ bufaux.h19 Apr 2002 12:55:56 -
@@ -23,6 +23,9 @@
 void   buffer_get_bignum(Buffer *, BIGNUM *);
 void   buffer_get_bignum2(Buffer *, BIGNUM *);

+u_shortbuffer_get_short(Buffer *);
+void   buffer_put_short(Buffer *, u_short);
+
 u_int  buffer_get_int(Buffer *);
 voidbuffer_put_int(Buffer *, u_int);