Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

OpenSSH segfault (Debian distro)

From: Andrei Mikhailovsky <andrei () arhont com>
Date: 7 Feb 2003 09:35:45 -0000


Arhont Ltd  -  Information Security

Arhont Advisory by:             Andrei Mikhailovsky
(www.arhont.com)
Contact details:                a.mikhailovsky () arhont com
Advisory:                       OpenSSH server (Debian
distribution)
Software version:               OpenSSH_3.5p1
Distribution Specific:          Other
versions/distributions might be vulnerable
Distribution site:              http://www.debian.org
Distribution contact:           submit () bugs debian org
Contact Date:                   23/01/2003

DETAILS:
Debian GNU/Linux 3.0 (unstable tree) OpenSSH server
version 3.5p1 has segfaulted during the client
connection.  As suggested by the Debian team, this is
most likely related to the ldap implementation and
libpam-ldap.  It has been verified that Debian 3.0
(woody) and testing trees are not vulnerable.  The
tested vulnerable software versions are as follows:

OpenSSH                         3.5p1-4
ldap-utils/slapd/libldap2-tls   2.0.27-3
libpam-ldap                     156-1

The possible exploitations of this vulnerability has
not been tested.  Below, you can find debugging output
from the sshd -ddd command: 

whale:/etc/ssh# sshd -ddd
debug1: sshd version OpenSSH_3.5p1 Debian 1:3.5p1-4
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging
Connection from 127.0.0.1 port 44030

debug1: Client protocol version 2.0; client software
version OpenSSH_3.5p1 Debian 1:3.5p1-4

debug1: match: OpenSSH_3.5p1 Debian 1:3.5p1-4 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1
Debian 1:3.5p1-4

debug2: Network child is on pid 17561

debug3: preauth child monitor started

debug3: privsep user:group 103:65534

debug1: permanently_set_uid: 103/65534

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc () lysator liu se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc () lysator liu se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 () openssh com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 () openssh com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc () lysator liu se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc () lysator liu se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 () openssh com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 () openssh com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug3: mm_request_send entering: type 0

debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI

debug3: mm_request_receive_expect entering: type 1

debug3: mm_request_receive entering

debug3: mm_request_receive entering

debug3: monitor_read: checking request 0

debug3: mm_answer_moduli: got parameters: 1024 2048 8192

debug3: mm_request_send entering: type 1

debug2: monitor_read: 0 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_choose_dh: remaining 0

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: dh_gen_key: priv key bits set: 133/256

debug1: bits set: 1574/3191

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: bits set: 1586/3191

debug3: mm_key_sign entdebug3: mm_request_send
entering: type 4

debug3: monitor_read: checking request 4

debug3: mm_answer_sign

debug3: mm_answer_sign: signature 0x8092ec0(143)

debug3: mm_request_send entering: type 5

debug2: monitor_read: 4 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN

debug3: mm_request_receive_expect entering: type 5

debug3: mm_request_receive entering

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user --------- service
ssh-connection method none

debug1: attempt 0 failures 0

debug3: mm_getpwnamallow entering

debug3: mm_request_send entering: type 6

debug3: monitor_read: checking request 6

debug3: mm_answer_pwnamallow

debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1

debug3: mm_request_send entering: type 7

debug2: monitor_read: 6 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM

debug3: mm_request_receive_expect entering: type 7

debug3: mm_request_receive entering

debug2: input_userauth_request: setting up authctxt for
---------

debug3: mm_start_pam entering

debug3: mm_request_send entering: type 41

debug3: monitor_read: checking request 41

debug1: Starting up PAM with username "---------"

debug3: Trying to reverse map address 127.0.0.1.

debug1: PAM setting rhost to "whale"

debug2: monitor_read: 41 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_inform_authserv entering

debug3: mm_request_send entering: type 3

debug3: monitor_read: checking request 3

debug3: mm_answer_authserv: service=ssh-connection, style=

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug2: debug3: mm_auth_password entering

debug3: mm_request_send entering: type 10

debug3: monitor_read: checking request 10

debug3: mm_answer_authpassword: sending result 0

debug3: mm_request_send entering: type 11

Failed none for --------- from 127.0.0.1 port 44030 ssh2

debug3: mm_request_receive entering

debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD

debug3: mm_request_receive_expect entering: type 11

debug3: mm_request_receive entering

debug3: mm_auth_password: user not authenticated

Failed none for ---------- from 127.0.0.1 port 44030 ssh2

debug1: userauth-request for user --------- service
ssh-connection method keyboard-interactive

debug1: attempt 1 failures 1

debug2: input_userauth_request: try method
keyboard-interactive

debug1: keyboard-interactive devs 

debug1: auth2_challenge: user=--------- devs=

debug1: kbdint_alloc: devices ''

debug2: auth2_challenge_start: devices 

Failed keyboard-interactive for --------- from
127.0.0.1 port 44030 ssh2

debug1: userauth-request for user --------- service
ssh-connection method password
debug1: attempt 2 failures 2

debug2: input_userauth_request: try method password

debug3: mm_auth_password entering

debug3: mm_request_send entering: type 10

debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD

debug3: mm_request_receive_expect entering: type 11

debug3: mm_request_receive entering

debug3: monitor_read: checking request 10

debug1: Calling cleanup 0x806b318(0x0)

Segmentation fault

Debian team has been contacted in regards to this
issue.  The patches are not yet available from Debian
distributor.

According to the Arhont Ltd policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.


Kind Regards,

Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key:       0xFF67A4F4
Previous By Date Next
Previous By Thread Next

Current thread: