Bugtraq mailing list archives

Re: Sun libnsl lameness

From: appro () FY CHALMERS SE (Andy Polyakov)
Date: Fri, 3 Jul 1998 16:09:42 +0200

it should be noted that ssh and sshd make use of insecure functions as
mentioned below.

[root@squig ~/work/ssh/ssh-1.2.25] nm sshd | egrep 'getnetname|getsecretkey'
[428]   |    372268|       0|FUNC |GLOB |0    |UNDEF  |getnetname
[527]   |    372280|       0|FUNC |GLOB |0    |UNDEF  |getsecretkey
[root@squig ~/work/ssh/ssh-1.2.25] nm ssh | grep getnetname
[416]   |    356736|       0|FUNC |GLOB |0    |UNDEF  |getnetname

I'm the one who is responsible for these calls:-) Hello, everybody!

First of all I want to point out that mentioned functions in both ssh
*and* sshd cases are called at least at caller's, a.k.a.  none-root,
effective uid. Observe that when called at none-root euid 'getnetname'
does *not* call 'host2netname', but 'user2netname'. In addition it
should be mentioned that in ssh case call to 'getnetname' is performed
in separate process context at *both* effective & real caller's uid. So
that the way I see it it's *not* possible to exploit 'getnetname' to
gain root privileges in neither ssh nor sshd case.

Now let's look at 'getsecretkey' in sshd... First of all it looks like
the information provided in RSI bulletin is not accurate. 'getkeys_nis'
looks quite innocent to me, but not 'getkeys_nisplus'... I don't
believe buffer overflow in 'getkeys_nisplus' ever takes place in sshd
case, because arguments can not be manipulated by the intruder (as he's
not logged in yet!) by e.g. setting NIS_PATH environment variable. Bad
news is that all 'getkeys_*' call 'extract_secret' which in turn
does look like "come and get me"...  But what would it take to exploit
it? The way I see it intruder would have to have access to or forge
answers from NIS/NIS+ server in order to feed the victim with unusually
long key-pairs. Well, I have to conclude that 'getsecretkey' in sshd is
exploitable. Again! Provided that intruder has access to or capable
of imitating NIS/NIS+ server.

Should I think of a patch, people? The only thing one can do is to
fetch key-pair before calling 'getsecretkey' and make sure it's not
longer than 1K or something:-)



George Clooney wrote:

               Functions we have found vulnerable:

               Vulnerable key functions
               ---------------------------------------------------
               getsecretkey ()         : Calls getkeys_nis ()


               Vulnerable RPC functions
               ----------------------------------------------------
               getnetname ()           : Calls host2netname ()

Andy.

Current thread:

Re: ePerl: bad handling of ISINDEX queries, (continued)
- - - Re: ePerl: bad handling of ISINDEX queries Steve Willer (Jul 08)
    - notes on Port scanning Lloyd Vancil (Jul 08)
    - WWW Authorization Gateway Albert Nubdy (Jul 08)
- Re: Sun libnsl lameness Allanah Myles (Jul 06)
  - Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
    - Re: Sun libnsl lameness Scott Stubbs (Jul 09)
    - Sun libnsl patches Mike Sorsen (Jul 09)
  - Re: Sun libnsl lameness Matt Conover (Jul 08)
  - DoS: ANS Interlock Firewall Chris A. Henesy (Jul 09)
  - Administrivia Aleph One (Jul 09)
- Re: Sun libnsl lameness Andy Polyakov (Jul 03)
  - Re: Sun libnsl lameness Matt Conover (Jul 03)
  - UPDATE: SSH insertion attack Ivan Arce (Jul 03)
  - [rootshell] Security Bulletin #20 Aleph One (Jul 06)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 09)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 10)