A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file. Ticket and token passing
is not enabled by default.
1. Systems affected:
All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.
Ticket/Token passing is disabled by default and available
only in protocol version 1.
2. Impact:
Remote users may gain privileged access for OpenSSH < 2.9.9
Local users may gain privileged access for OpenSSH < 3.3
No privileged access is possible for OpenSSH with
UsePrivsep enabled.
3. Solution:
Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
4. Credits:
kurt@seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/
Appendix:
Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
+++ bufaux.c 19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
}
-
/*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
*/
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+ u_char buf[2];
+ buffer_get(buffer, (char *) buf, 2);
+ return GET_16BIT(buf);
+}
+
u_int
buffer_get_int(Buffer *buffer)
{
@@ -158,8 +166,16 @@
}
/*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
*/
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+ char buf[2];
+ PUT_16BIT(buf, value);
+ buffer_append(buffer, buf, 2);
+}
+
void
buffer_put_int(Buffer *buffer, u_int value)
{
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
+++ bufaux.h 19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
void buffer_get_bignum(Buffer *, BIGNUM *);
void buffer_get_bignum2(Buffer *, BIGNUM *);
+u_short buffer_get_short(Buffer *);
+void buffer_put_short(Buffer *, u_short);
+
u_int buffer_get_int(Buffer *);
void buffer_put_int(Buffer *, u_int);
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file. Ticket and token passing
is not enabled by default.
1. Systems affected:
All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.
Ticket/Token passing is disabled by default and available
only in protocol version 1.
2. Impact:
Remote users may gain privileged access for OpenSSH < 2.9.9
Local users may gain privileged access for OpenSSH < 3.3
No privileged access is possible for OpenSSH with
UsePrivsep enabled.
3. Solution:
Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
4. Credits:
kurt@seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/
Appendix:
Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
+++ bufaux.c 19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
}
-
/*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
*/
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+ u_char buf[2];
+ buffer_get(buffer, (char *) buf, 2);
+ return GET_16BIT(buf);
+}
+
u_int
buffer_get_int(Buffer *buffer)
{
@@ -158,8 +166,16 @@
}
/*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
*/
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+ char buf[2];
+ PUT_16BIT(buf, value);
+ buffer_append(buffer, buf, 2);
+}
+
void
buffer_put_int(Buffer *buffer, u_int value)
{
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
+++ bufaux.h 19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
void buffer_get_bignum(Buffer *, BIGNUM *);
void buffer_get_bignum2(Buffer *, BIGNUM *);
+u_short buffer_get_short(Buffer *);
+void buffer_put_short(Buffer *, u_short);
+
u_int buffer_get_int(Buffer *);
void buffer_put_int(Buffer *, u_int);