[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    LSH: Buffer overrun and remote root compromise in lshd
From:       nisse () lysator ! liu ! se (Niels =?iso-8859-1?q?M=F6ller?=)
Date:       2003-09-20 8:58:55
[Download RAW message or body]

A security hole of the worst kind have been found in lshd. All
versions up to 1.4.2 and all versions in the 1.5.x series up to 1.5.2
are affected.

The primary threat is remote root compromise of the lshd server. Some
exploits programs have been published. It is also likely that a
malicious ssh server can exploit the lsh client.

All users of lsh servers and clients are strongly advised to upgrade
to 1.4.3 (stable) or 1.5.3 (development version, with the usual
caveats), and to immediately disable lshd service until the program
is upgraded.

For further details and instructions, see the attached announcement of
the new versions. (Also note that as usual, the releases and the
1.4.2-1.4.3 patch file are signed properly, even if this message
isn't).

Regards,
/Niels




X-From-Line: lsh-bugs-admin@lists.lysator.liu.se  Sat Sep 20 10:31:06 2003
Return-Path: <lsh-bugs-admin@lists.lysator.liu.se>
Delivered-To: nisse@lysator.liu.se
Received: from tokaimura.lysator.liu.se (localhost [127.0.0.1])
	by mail.lysator.liu.se (Postfix) with ESMTP
	id EBD2E534DB; Sat, 20 Sep 2003 10:31:05 +0200 (MEST)
Delivered-To: mailmanalias-post+lsh-bugs@lysator.liu.se
Received: by mail.lysator.liu.se (Postfix, from userid 1646)
	id BC1B552FFB; Sat, 20 Sep 2003 10:30:33 +0200 (MEST)
Received: from fafner.lysator.liu.se (fafner.lysator.liu.se [130.236.254.31])
	by mail.lysator.liu.se (Postfix) with ESMTP id EB6782E912
	for <lsh-bugs@lists.lysator.liu.se>; Sat, 20 Sep 2003 10:30:31 +0200 (MEST)
Received: (from nisse@localhost)
	by fafner.lysator.liu.se (8.12.9/8.12.8) id h8K8UUOX013573;
	Sat, 20 Sep 2003 10:30:30 +0200 (MEST)
X-Authentication-Warning: fafner.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
To: lsh-bugs@lists.lysator.liu.se
Subject: ANNOUNCE: lsh-1.4.3 and lsh-1.5.3
From: nisse@lysator.liu.se (Niels =?iso-8859-1?q?M=F6ller?=)
Message-ID: <nnad8z980q.fsf@fafner.lysator.liu.se>
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
X-Spam-Status: No, hits=-3.8 required=5.0
	tests=AWL,PATCH_UNIFIED_DIFF,USER_AGENT_GNUS_UA,X_AUTH_WARNING
	version=2.55-lysator_tokaimura_1.1
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55-lysator_tokaimura_1.1 (1.174.2.19-2003-05-19-exp)
Sender: lsh-bugs-admin@lists.lysator.liu.se
Errors-To: lsh-bugs-admin@lists.lysator.liu.se
X-BeenThere: lsh-bugs@lists.lysator.liu.se
X-Mailman-Version: 2.0.13
Precedence: bulk
List-Unsubscribe: <http://lists.lysator.liu.se/mailman/listinfo/lsh-bugs>,
	<mailto:lsh-bugs-request@lists.lysator.liu.se?subject=unsubscribe>
List-Id: Discussions about lsh <lsh-bugs.lists.lysator.liu.se>
List-Post: <mailto:lsh-bugs@lists.lysator.liu.se>
List-Help: <mailto:lsh-bugs-request@lists.lysator.liu.se?subject=help>
List-Subscribe: <http://lists.lysator.liu.se/mailman/listinfo/lsh-bugs>,
	<mailto:lsh-bugs-request@lists.lysator.liu.se?subject=subscribe>
List-Archive: <http://lists.lysator.liu.se/pipermail/lsh-bugs/>
Date: 20 Sep 2003 10:30:29 +0200
Lines: 123
Xref: fafner.lysator.liu.se mail.psst:1371
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

All lsh versions prior to lsh-1.4.3, as well as lsh-1.5, lsh-1.5.1 and
lsh-1.5.2, have a *buffer overrun* bug. This bug can lead to remote
root compromise of the lshd daemon, and it can most likely also let a
malicious server execute arbitrary code in the lsh client.

And the affected code is run before either host or user autentication.

The stable release lsh-1.4.3 and the development release lsh-1.5.3
both fix this bug, and two other bugs of similar character (but
different consequences) which were found when greping the code for
similar mistakes.

All users of lsh and lshd should upgrade, and in case you can't
upgrade lshd immediately, you are *strongly* advised to disable lshd
service.

Credit is due to Bennett Todd, who reported a crash which turned out
to be a buffer overrun. Example exploit programs have been posted to
the full-disclosure mailinglist.

NEWS for lsh-1.4.3:

	Fixed heap buffer overrun with potential remote root
	compromise. Initial bug report by Bennett Todd.

	Fixed a similar bug in the check for channel number allocation
	failure in the handling of channel_open, and in the
	experimental client SRP code.

	Backported lshd setsid fix from lsh-1.5. Should call setsid
	both in the pty and non-pty cases.

	Updated the code to compile with automake-1.7.3 and
	scsh-0.6.0.

The NEWS entry for lsh-1.5.3 is similar, but since it belongs to the
development branch, it also contains some new experimental code,

News for the 1.5.3 release

	Fixed heap buffer overrun with potential remote root
	compromise. Initial bug report by Bennett Todd.

	Fixed a similar bug in the check for channel number allocation
	failure in the handling of channel_open, and in the
	experimental client SRP code.

	lshd now has an experimental mode similar to telnet, where it
	accepts the 'none' authentication method and automatically
	disables services such as X and TCP forwarding. This can be
	useful in environment where it's required that /bin/login or
	some other program handle authentication and session setup
	(e.g. handle security contexts and so on).

If you need a bug-fix-only update, you are advised to either stay with
lsh-1.4.3, or apply the relevant three lines of the 1.4.3 patch,
included below, to your 1.5.2 tree.

The releases can be downloaded from

  http://www.lysator.liu.se/~nisse/archive/lsh-1.4.3.tar.gz
  http://www.lysator.liu.se/~nisse/archive/lsh-1.4.2-1.4.3.diff.gz
  http://www.lysator.liu.se/~nisse/archive/lsh-1.5.3.tar.gz

  ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.3.tar.gz
  ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.2-1.4.3.diff.gz
  ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.5.3.tar.gz

Regards,
/Niels

diff -urN lsh-1.4.2/src/channel_commands.c lsh-1.4.3/src/channel_commands.c
--- lsh-1.4.2/src/channel_commands.c	Thu Sep 27 08:29:44 2001
+++ lsh-1.4.3/src/channel_commands.c	Fri Sep 19 14:15:37 2003
@@ -57,6 +57,7 @@
 		      make_channel_open_exception(
 			SSH_OPEN_RESOURCE_SHORTAGE,
 			"Allocating a local channel number failed."));
+      return;
     }
 
   channel = NEW_CHANNEL(self, connection, index, &request);
diff -urN lsh-1.4.2/src/client_keyexchange.c lsh-1.4.3/src/client_keyexchange.c
--- lsh-1.4.2/src/client_keyexchange.c	Wed Mar 13 17:05:28 2002
+++ lsh-1.4.3/src/client_keyexchange.c	Fri Sep 19 16:37:59 2003
@@ -268,6 +268,7 @@
     {
       lsh_string_free(salt);
       disconnect_kex_failed(connection, "Bye");
+      return;
     }
   
   mpz_init(x);
@@ -282,8 +283,11 @@
   mpz_clear(x);
 
   if (!response)
-    PROTOCOL_ERROR(connection->e,
-		   "SRP failure: Invalid public value from server.");
+    {
+      PROTOCOL_ERROR(connection->e,
+		     "SRP failure: Invalid public value from server.");
+      return;
+    }
   
   C_WRITE_NOW(connection, response);
   
--- lsh-1.4.2/src/read_line.c	Fri Aug  4 01:51:32 2000
+++ lsh-1.4.3/src/read_line.c	Fri Sep 19 14:22:29 2003
@@ -98,6 +98,8 @@
       /* Too long line */
       EXCEPTION_RAISE(self->e,
 		      make_protocol_exception(0, "Line too long."));
+
+      return available;
     }
 
   /* Ok, now we have a line. Copy it into the buffer. */
_______________________________________________
lsh-bugs mailing list
lsh-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/lsh-bugs



[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic