OpenSSH Kerberos 4 TGT/AFS Token存在缓冲溢出漏洞发布时间:2002-04-23 更新时间:2002-04-23 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:4560 受影响系统 OpenSSH OpenSSH 2.1详细描述 如果在OpenSSH中的SSHD在编译的时候支持Kerberos/AFS并在sshd_config文件中支持KerberosTgtPassing 或者AFSTokenPassing,以上情况下,SSHD存在远程缓冲溢出,可导致获得ROOT权限,TICKET和TOKEN传递默认不允许。 测试代码 测试程序: http://online.securityfocus.com/data/vulnerabilities/exploits/tgt-x86linux.tar 解决方案 采用如下补丁:OpenSSH OpenSSH 2.1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.1.1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.2: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.3: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.5: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.5.1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.5.2: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.9 p2: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.9 p1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.9: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 2.9.9: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 3.0.1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 3.0.2: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch OpenSSH OpenSSH 3.1: Niels Provos Patch ossh-afs-krb4.patch http://online.securityfocus.com/data/vulnerabilities/patches/vulnerabilities/patches/ossh-afs-krb4.patch Index: bufaux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - /* - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). */ + +u_short +buffer_get_short(Buffer *buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char *) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ } /* - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. */ +void +buffer_put_short(Buffer *buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer *buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + u_int buffer_get_int(Buffer *); void buffer_put_int(Buffer *, u_int); 相关信息 参考:kurt@seifried.org http://mantra.freeweb.hu/ |
