oss-sec mailing list archives
Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 27 Jan 2012 16:21:09 -0700
Ok so we (myself and vdanen () redhat com) have done some more research and here are the results (good news and bad news): OpenSSH portable compiled from source with no changes: 5.3p1 is NOT vulnerable 5.4p1 is vulnerable 5.5p1 is vulnerable 5.6p1 is NOT vulnerable Upon further examination of the errors we have the following for OpenSSH 5.3p1: ========= debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa debug1: Remote: Forced command: echo 3 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: read PEM private key done: type RSA debug1: Remote: Forced command: echo 3 debug1: Authentication succeeded (publickey). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions () openssh com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Environment: [snip] ========= As we can see we get the debug information BEFORE authentication is finished. So this issue was then addressed in 5.4: - (dtucker) OpenBSD CVS Sync - dtucker () cvs openbsd org 2010/03/07 11:57:13 [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c] Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@ http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48 which contains the following line: - auth_debug_reset(); So now more information is sent in the debug message (post-authentication) which created this problem: ========= debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions () openssh com debug1: Entering interactive session. debug1: Remote: Forced command: echo 1 debug1: Remote: Forced command: echo 2 debug1: Remote: Forced command: echo 3 debug1: Remote: Forced command: echo 1 debug1: Remote: Forced command: echo 2 debug1: Remote: Forced command: echo 3 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Environment: LANG=en_US.UTF-8 [stuff] ========= Then in version 5.6p1 the certificate handling code was reworked and something fixed this problem, we haven't tracked it down exactly (it may be related to cert_forced_command, auth_cert_options and parse_option_list). TL;DR anyone shipping OpenSSH portable 5.4 and 5.5 is vulnerable and needs to fix this. This may also affect OpenSSH 5.4/5.5 (non portable) which I'll test when I get home. -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)