Bugtraq mailing list archives
sshd1 allows unencrypted sessions regardless of server policy
From: Markus.Friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)
Date: Tue, 14 Dec 1999 16:43:32 +0100
[I am posting this here since nobody seems to take care of ssh-1.2.27] While working on OpenSSH I discovered the following defect in ssh-1.2.27, OpenSSH and other related implementations of SSH1: A malicious ssh-client can force a server to use the so called cipher "none" even if the server-policy does not permit this. In the SSH1 protocol, during connection setup, the server sends a list of supported ciphers to the client. This list represents the server policy and includes the ciphers the server is going to accept. Usually the client chooses one cipher from this list and sends its choice back to the server. However, in all these implementations, the server does _not_ check whether the cipher chosen by the client is included in the list of previously offered ciphers. According to README.CIPHERS from recent ssh-1.2.2x releases login sessions 'encrypted' with cipher "none" are disabled by default: "This cipher is intended only for testing, and should not be enabled for normal use. Using no encryption makes SSH vulnerable to network-level attacks (such as connection hijacking). There are also more subtle ways to exploit using no encryption, and servers should not allow such connections at all except when testing the protocol. [...] You can allow "none" encryption by giving the --with-none option to configure. Using no encryption is not allowed by default. This is wrong. Because passphrase-less hostkeys are 'encrypted' with cipher "none" the code for this cipher is always compiled into the programs. This way the client is free to choose "none" and no server will complain. The current version OpenSSH-1.2.1 is not vulnerable. The obvious fix can be found below. A patch for the versions of OpenSSH shipped with OpenBSD-2.6 is available from http://www.openbsd.org/errata.html#sshjumbo Information on OpenSSH can be found at http://www.openssh.com/ Index: sshd.c =================================================================== --- sshd.c 1999/12/06 20:15:30 1.68 +++ sshd.c 1999/12/07 13:38:05 @@ -869,8 +869,11 @@ /* Read clients reply (cipher type and session key). */ packet_read_expect(&plen, SSH_CMSG_SESSION_KEY); - /* Get cipher type. */ + /* Get cipher type and check whether we accept this. */ cipher_type = packet_get_char(); + + if (!(cipher_mask() & (1 << cipher_type))) + packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we sent earlier with the public key packet. */
Current thread:
- [patch] Re: Big problem on 2.0.x?, (continued)
- [patch] Re: Big problem on 2.0.x? Andrea Arcangeli (Dec 14)
- Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 13)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Malartre (Dec 14)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 14)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Federico - Comnet S.A. (Dec 15)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70Vulnerability ussr secure (Dec 16)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Tim (Dec 15)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 15)
- CERT Advisory CA-99-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind Elias Levy (Dec 14)
- Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Jarle Aase (Dec 16)
- Re: sshd1 allows unencrypted sessions regardless of server policy Michael H. Warfield (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Pavel Machek (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Joseph Moran (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy David Schwartz (Dec 15)