oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 27 Jan 2012 16:21:09 -0700
Ok so we (myself and vdanen () redhat com) have done some more research and
here are the results (good news and bad news):

OpenSSH portable compiled from source with no changes:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Upon further examination of the errors we have the following for OpenSSH 5.3p1:
=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Remote: Forced command: echo 3
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: echo 3
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions () openssh com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
[snip]
=========

As we can see we get the debug information BEFORE authentication is finished.

So this issue was then addressed in 5.4:

 - (dtucker) OpenBSD CVS Sync
   - dtucker () cvs openbsd org 2010/03/07 11:57:13
     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48

which contains the following line:

-       auth_debug_reset();

So now more information is sent in the debug message (post-authentication) which created this problem:

=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions () openssh com
debug1: Entering interactive session.
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
  LANG=en_US.UTF-8
[stuff]
=========

Then in version 5.6p1 the certificate handling code was reworked and 
something fixed this problem, we haven't tracked it down exactly (it 
may be related to cert_forced_command, auth_cert_options and 
parse_option_list).

TL;DR anyone shipping OpenSSH portable 5.4 and 5.5 is vulnerable and needs to fix this.

This may also affect OpenSSH 5.4/5.5 (non portable) which I'll test when I get home.

-- 

-- Kurt Seifried / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: