Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2012 16:21:09 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Yves-Alexis Perez <corsac@...ian.org>, djm@...nbsd.org,
        dtucker@...nbsd.org
Subject: Re: CVE Request: Debian (others?) openssh-server:
 Forced Command handling leaks private information to ssh clients

Ok so we (myself and vdanen@...hat.com) have done some more research and
here are the results (good news and bad news):

OpenSSH portable compiled from source with no changes:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Upon further examination of the errors we have the following for OpenSSH 5.3p1:
=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Remote: Forced command: echo 3
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: echo 3
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@...nssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
[snip]
=========

As we can see we get the debug information BEFORE authentication is finished.

So this issue was then addressed in 5.4:

 - (dtucker) OpenBSD CVS Sync
   - dtucker@....openbsd.org 2010/03/07 11:57:13
     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48

which contains the following line:

-	auth_debug_reset();

So now more information is sent in the debug message (post-authentication) which created this problem:

=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@...nssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
  LANG=en_US.UTF-8
[stuff]
=========

Then in version 5.6p1 the certificate handling code was reworked and 
something fixed this problem, we haven't tracked it down exactly (it 
may be related to cert_forced_command, auth_cert_options and 
parse_option_list).

TL;DR anyone shipping OpenSSH portable 5.4 and 5.5 is vulnerable and needs to fix this.

This may also affect OpenSSH 5.4/5.5 (non portable) which I'll test when I get home.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ