Bugtraq mailing list archives
Re: Sun libnsl lameness
From: appro () FY CHALMERS SE (Andy Polyakov)
Date: Fri, 3 Jul 1998 16:09:42 +0200
it should be noted that ssh and sshd make use of insecure functions as mentioned below. [root@squig ~/work/ssh/ssh-1.2.25] nm sshd | egrep 'getnetname|getsecretkey' [428] | 372268| 0|FUNC |GLOB |0 |UNDEF |getnetname [527] | 372280| 0|FUNC |GLOB |0 |UNDEF |getsecretkey [root@squig ~/work/ssh/ssh-1.2.25] nm ssh | grep getnetname [416] | 356736| 0|FUNC |GLOB |0 |UNDEF |getnetname
I'm the one who is responsible for these calls:-) Hello, everybody! First of all I want to point out that mentioned functions in both ssh *and* sshd cases are called at least at caller's, a.k.a. none-root, effective uid. Observe that when called at none-root euid 'getnetname' does *not* call 'host2netname', but 'user2netname'. In addition it should be mentioned that in ssh case call to 'getnetname' is performed in separate process context at *both* effective & real caller's uid. So that the way I see it it's *not* possible to exploit 'getnetname' to gain root privileges in neither ssh nor sshd case. Now let's look at 'getsecretkey' in sshd... First of all it looks like the information provided in RSI bulletin is not accurate. 'getkeys_nis' looks quite innocent to me, but not 'getkeys_nisplus'... I don't believe buffer overflow in 'getkeys_nisplus' ever takes place in sshd case, because arguments can not be manipulated by the intruder (as he's not logged in yet!) by e.g. setting NIS_PATH environment variable. Bad news is that all 'getkeys_*' call 'extract_secret' which in turn does look like "come and get me"... But what would it take to exploit it? The way I see it intruder would have to have access to or forge answers from NIS/NIS+ server in order to feed the victim with unusually long key-pairs. Well, I have to conclude that 'getsecretkey' in sshd is exploitable. Again! Provided that intruder has access to or capable of imitating NIS/NIS+ server. Should I think of a patch, people? The only thing one can do is to fetch key-pair before calling 'getsecretkey' and make sure it's not longer than 1K or something:-)
George Clooney wrote:Functions we have found vulnerable: Vulnerable key functions --------------------------------------------------- getsecretkey () : Calls getkeys_nis () Vulnerable RPC functions ---------------------------------------------------- getnetname () : Calls host2netname ()
Andy.
Current thread:
- Re: ePerl: bad handling of ISINDEX queries, (continued)
- Re: ePerl: bad handling of ISINDEX queries Steve Willer (Jul 08)
- notes on Port scanning Lloyd Vancil (Jul 08)
- WWW Authorization Gateway Albert Nubdy (Jul 08)
- Re: Sun libnsl lameness Allanah Myles (Jul 06)
- Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
- Re: Sun libnsl lameness Scott Stubbs (Jul 09)
- Sun libnsl patches Mike Sorsen (Jul 09)
- Re: Sun libnsl lameness Matt Conover (Jul 08)
- DoS: ANS Interlock Firewall Chris A. Henesy (Jul 09)
- Administrivia Aleph One (Jul 09)
- Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
- Re: Sun libnsl lameness Andy Polyakov (Jul 03)
- Re: Sun libnsl lameness Matt Conover (Jul 03)
- UPDATE: SSH insertion attack Ivan Arce (Jul 03)
- [rootshell] Security Bulletin #20 Aleph One (Jul 06)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 09)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 10)