[jira] [Commented] (SSHD-868) Add some protection against maliciously crafted packets

2018-11-18 Thread Goldstein Lyor (JIRA) 


[ 
https://issues.apache.org/jira/browse/SSHD-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690968#comment-16690968
 ] 

Goldstein Lyor commented on SSHD-868:
-

There are a few more such pitfalls that 1st allocate and then try to loop or 
just loop - see [commit 
db6e5b5344dcf687ad01a6d7bc94cfa531809d37|https://github.com/apache/mina-sshd/commit/db6e5b5344dcf687ad01a6d7bc94cfa531809d37],
 and also [commit 
775f34955151d6ec241a1ad3a634c53a87386a64|https://github.com/apache/mina-sshd/commit/775f34955151d6ec241a1ad3a634c53a87386a64]

> Add some protection against maliciously crafted packets
> ---
>
> Key: SSHD-868
> URL: https://issues.apache.org/jira/browse/SSHD-868
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.1.1
>Reporter: Goldstein Lyor
>Assignee: Goldstein Lyor
>Priority: Major
>  Labels: memory, overflow, security
> Fix For: 2.1.1
>
>
> According to [RFC4256 - section 3.2|https://tools.ietf.org/html/rfc4256]
> {quote}
> The server SHOULD take into consideration that some clients may not
> be able to properly display a long name or prompt field (see next
> section), and limit the lengths of those fields if possible.
> {quote}
> The current code in {{UserAuthKeyboardInteractive#processAuthDataRequest}} 
> does not make sure that the number of challenges or the length of each 
> challenge is reasonable (not to mention the other packet components). 
> Therefore, a maliciously crafted packet can cause out-of-memory errors by 
> requesting an extremely large number of responses or sending very large 
> challenges.
> It is important to notice that this problem is not limited to the 
> {{keyboard-interactive}} protocol but to the entire packet encode/decode 
> mechanism since it is a RLE (read-length encoding). Wherever possible we 
> should add some reasonable but large enough limitations on the expected size 
> of strings/arrays/etc.. being decoded from incoming SSH packets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SSHD-868) Add some protection against maliciously crafted packets

2018-11-18 Thread Thomas Wolf (JIRA) 


[ 
https://issues.apache.org/jira/browse/SSHD-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690897#comment-16690897
 ] 

Thomas Wolf commented on SSHD-868:
--

{quote}Perhaps counting the zero-prompt info requests separately and 
aborting...{quote}
 
Ah, I see you did something like this already in [commit 
a6dffd5|https://github.com/apache/mina-sshd/commit/a6dffd5]. 

> Add some protection against maliciously crafted packets
> ---
>
> Key: SSHD-868
> URL: https://issues.apache.org/jira/browse/SSHD-868
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.1.1
>Reporter: Goldstein Lyor
>Assignee: Goldstein Lyor
>Priority: Major
>  Labels: memory, overflow, security
> Fix For: 2.1.1
>
>
> According to [RFC4256 - section 3.2|https://tools.ietf.org/html/rfc4256]
> {quote}
> The server SHOULD take into consideration that some clients may not
> be able to properly display a long name or prompt field (see next
> section), and limit the lengths of those fields if possible.
> {quote}
> The current code in {{UserAuthKeyboardInteractive#processAuthDataRequest}} 
> does not make sure that the number of challenges or the length of each 
> challenge is reasonable (not to mention the other packet components). 
> Therefore, a maliciously crafted packet can cause out-of-memory errors by 
> requesting an extremely large number of responses or sending very large 
> challenges.
> It is important to notice that this problem is not limited to the 
> {{keyboard-interactive}} protocol but to the entire packet encode/decode 
> mechanism since it is a RLE (read-length encoding). Wherever possible we 
> should add some reasonable but large enough limitations on the expected size 
> of strings/arrays/etc.. being decoded from incoming SSH packets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SSHD-868) Add some protection against maliciously crafted packets

2018-11-18 Thread Thomas Wolf (JIRA) 


[ 
https://issues.apache.org/jira/browse/SSHD-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690892#comment-16690892
 ] 

Thomas Wolf commented on SSHD-868:
--

Is the length encoding really an issue? Ssh packet length is limited, in Apache 
sshd apparently to 256kB (see [{{AbstractSession.decode()}}, line 
1007|https://github.com/apache/mina-sshd/blob/0241783/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java#L1007]).
 And for instance {{ByteArrayBuffer.getString(Charset)}} checks that the buffer 
does have enough unread bytes available. So if someone sends a packet 
containing a bogus string with a length 0x, sshd will throw a buffer 
exception, but it won't run into an OOM.

The number of challenges in keyboard-interactive authentication might perhaps 
be a problem. A malicious server could just keep on sending zero-prompt info 
requests to make the client be stuck. Perhaps counting the zero-prompt info 
requests separately and aborting when that count reaches {{2 * maxTrials}} 
might be an idea. I don't see any such count in openssh, though. They seem to 
count only the number of inits for keyboard-interactive. See 
[{{sshconnect2.c}}, lines 
1705ff|https://github.com/openssh/openssh-portable/blob/aaed635/sshconnect2.c#L1705].
 Looks to me that the Apache sshd way of counting is better.

> Add some protection against maliciously crafted packets
> ---
>
> Key: SSHD-868
> URL: https://issues.apache.org/jira/browse/SSHD-868
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.1.1
>Reporter: Goldstein Lyor
>Assignee: Goldstein Lyor
>Priority: Major
>  Labels: memory, overflow, security
> Fix For: 2.1.1
>
>
> According to [RFC4256 - section 3.2|https://tools.ietf.org/html/rfc4256]
> {quote}
> The server SHOULD take into consideration that some clients may not
> be able to properly display a long name or prompt field (see next
> section), and limit the lengths of those fields if possible.
> {quote}
> The current code in {{UserAuthKeyboardInteractive#processAuthDataRequest}} 
> does not make sure that the number of challenges or the length of each 
> challenge is reasonable (not to mention the other packet components). 
> Therefore, a maliciously crafted packet can cause out-of-memory errors by 
> requesting an extremely large number of responses or sending very large 
> challenges.
> It is important to notice that this problem is not limited to the 
> {{keyboard-interactive}} protocol but to the entire packet encode/decode 
> mechanism since it is a RLE (read-length encoding). Wherever possible we 
> should add some reasonable but large enough limitations on the expected size 
> of strings/arrays/etc.. being decoded from incoming SSH packets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)