Bugtraq mailing list archives
Re: More ssh fun (sshd this time)
From: shadows () whitefang com (Thamer Al-Herbish)
Date: Sat, 23 Aug 1997 15:31:26 +0000
On Tue, 19 Aug 1997, Ivo van der Wijk wrote:
I've informed my ISP's sysadmin of the LocalForward problem (if you missed it, adding a line like LocalForward 80 remotehost:80 to your $HOME/.ssh/config will forward a priviliged port to a remote port, whithout needing root).
[snip]
Anyway, he fixed it, and I showed him the bug still works when using 2^16 + 80 (ie. 16 bit wrap). Make sure that if you decide not to remove the suid-root bit like my sysadmin, but patch ssh itself, not to make this mistake.
Two bugs are present, the first one does'nt check the config file for privelged ports _at_all_ (a check is done when given on the command line), the second one doesnt check for ports over 65535 which will wrap around. This problem is that ssh/sshd uses an int instead of an unsigned short to do the comparison on. So wrapping doesnt occur till its placed in the struct sockaddr_in. I've included patches (I'm not the author of ssh so these are completely unoffical), hoping anyone would point out anything I might of missed out, and ofcourse for people to use as a temporary fix till the author releases one. These are against 1.2.17 -- cut here Common subdirectories: ssh-1.2.17/gmp-2.0.2-ssh-2 and ssh-fixed-1.2.17/gmp-2.0.2-ssh-2 diff -c ssh-1.2.17/newchannels.c ssh-fixed-1.2.17/newchannels.c *** ssh-1.2.17/newchannels.c Wed Oct 30 04:27:54 1996 --- ssh-fixed-1.2.17/newchannels.c Sat Aug 23 14:19:29 1997 *************** *** 1247,1252 **** --- 1247,1256 ---- /* Check that an unprivileged user is not trying to forward a privileged port. */ + + if (port > 65535) + packet_disconnect("Requested port is %d is invalid",port); + if (port < 1024 && !is_root) packet_disconnect("Requested forwarding of port %d but user is not root.", port); diff -c ssh-1.2.17/readconf.c ssh-fixed-1.2.17/readconf.c *** ssh-1.2.17/readconf.c Wed Oct 30 04:27:53 1996 --- ssh-fixed-1.2.17/readconf.c Sat Aug 23 14:29:08 1997 *************** *** 389,394 **** --- 389,400 ---- fatal("%.200s line %d: Badly formatted port number.", filename, linenum); fwd_port = atoi(cp); + + if(fwd_port < 1024 && original_real_uid) + fatal("Port %d may only be forwarded by root.",fwd_port); + if(fwd_port > 65535) + fatal("Port %d is illegal",fwd_port); + cp = strtok(NULL, WHITESPACE); if (!cp) fatal("%.200s line %d: Missing second argument.", *************** *** 408,413 **** --- 414,425 ---- fatal("%.200s line %d: Badly formatted port number.", filename, linenum); fwd_port = atoi(cp); + + if(fwd_port < 1024 && original_real_uid) + fatal("Port %d may only be forwarded by root.",fwd_port); + if(fwd_port > 65535) + fatal("Port %d is illegal",fwd_port); + cp = strtok(NULL, WHITESPACE); if (!cp) fatal("%.200s line %d: Missing second argument.", diff -c ssh-1.2.17/ssh.c ssh-fixed-1.2.17/ssh.c *** ssh-1.2.17/ssh.c Wed Oct 30 04:27:54 1996 --- ssh-fixed-1.2.17/ssh.c Sat Aug 23 14:18:59 1997 *************** *** 483,488 **** --- 483,499 ---- usage(); /*NOTREACHED*/ } + + if(fwd_port > 65535) { + fprintf(stderr,"Illegal port specified %d\n",fwd_port); + exit(1); + } + if (fwd_port < 1024 && original_real_uid != 0) { + fprintf(stderr, + "Privileged ports can only be forwarded by root.\n"); + exit(1); + } + add_remote_forward(&options, fwd_port, buf, fwd_host_port); break; *************** *** 496,503 **** } if (fwd_port < 1024 && original_real_uid != 0) { ! fprintf(stderr, ! "Privileged ports can only be forwarded by root.\n"); exit(1); } add_local_forward(&options, fwd_port, buf, fwd_host_port); --- 507,517 ---- } if (fwd_port < 1024 && original_real_uid != 0) { ! if(fwd_port > 65535) ! fprintf(stderr,"Ilegal port specified %d\n",fwd_port); ! else ! fprintf(stderr, ! "Privileged ports can only be forwarded by root.\n"); exit(1); } add_local_forward(&options, fwd_port, buf, fwd_host_port); Common subdirectories: ssh-1.2.17/zlib-1.0.3 and ssh-fixed-1.2.17/zlib-1.0.3 -- cut here ------------------------------------------------------------------------------- Thamer Al-Herbish tmh () kuwait net UNIX Programmer Gulfnet Kuwait Floor 11, Al-Gas Tower. Network Analyst Ahmad Al-Jabar St. Sharq, Kuwait. ------------------------------------------------------------------------------- [ For PGP key finger shadows () kuwait net ] ------------------------------------------------------------------------------- Thamer Al-Herbish tmh () kuwait net UNIX Programmer Gulfnet Kuwait Floor 11, Al-Gas Tower. Network Analyst Ahmad Al-Jabar St. Sharq, Kuwait. ------------------------------------------------------------------------------- [ For PGP key finger shadows () kuwait net ]
Current thread:
- More ssh fun (sshd this time) Ivo van der Wijk (Aug 19)
- Re: More ssh fun (sshd this time) Olaf Titz (Aug 23)
- Sun Security Bulletin #00152 Aleph One (Aug 25)
- Sun Security Bulletin #00153 Aleph One (Aug 25)
- Active X exploit. Peter Shipley (Aug 25)
- Re: More ssh fun (sshd this time) Wietse Venema (Aug 25)
- <Possible follow-ups>
- Re: More ssh fun (sshd this time) Thamer Al-Herbish (Aug 23)
- Re: More ssh fun (sshd this time) Solar Designer (Aug 27)
- Re: More ssh fun (sshd this time) Paul H. Hargrove (Aug 27)
- Re: More ssh fun (sshd this time) Christopher Craig (Aug 27)
- Integer Overflows Solar Designer (Aug 27)