首页 -> 安全研究
安全研究
安全漏洞
SSH1守护程序crc32补偿攻击检测安全漏洞
发布日期:2001-02-08
更新日期:2001-11-24
受影响系统:
OpenSSH OpenSSH 2.2不受影响系统:
OpenSSH OpenSSH 2.1.1
OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 1.2.3
OpenSSH OpenSSH 1.2.2
SSH Communications Security SSH 1.2.31
SSH Communications Security SSH 1.2.30
SSH Communications Security SSH 1.2.29
SSH Communications Security SSH 1.2.28
SSH Communications Security SSH 1.2.27
SSH Communications Security SSH 1.2.26
SSH Communications Security SSH 1.2.25
SSH Communications Security SSH 1.2.24
SSH Communications Security SSH2
OpenSSH OpenSSH 2.3描述:
SSH Communications Security SSH2 2.4
SSH Communications Security SSH2 2.3
SSH Communications Security SSH2 2.2
SSH Communications Security SSH2 2.1
SSH Communications Security SSH2 2.0
BUGTRAQ ID: 2347
CVE(CAN) ID: CVE-2001-0144
SSH是一种用于远程连接的加密通信协议和工具,相对telnet提供了强大得多的安全性。
较新版本的ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在deattack.c,此程序由CORE SDI开发,用来防止SSH1协议受到CRC32补偿攻击。
由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用,导致表索引溢出问题。这将允许一个攻击者覆盖内存中的任意位置的内容,攻击者可能远程获取root权限。
问题出在detect_attack()函数中:
...
/*
detect_attack
Detects a crc32 compensation attack on a packet
*/
int
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
{
static word16 *h = (word16 *) NULL;
(*) static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
...
n 被错误的定义为16位整数,因此攻击者可以设法导致其值为0,在进行完xmalloc(0)分配后,将执行下列代码:
for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
由于i被设置为32位无符号整数,在n=0时,结果就变成了:
i = HASH(c) & 0xffffffff
而c可以由客户端提供。如果i的值超出了正常范围,程序在试图访问h[i]时将会发生段错误。
通过精心构造攻击报文,攻击者可能覆盖任意地址的内容并远程执行任意代码。攻击者不需要有效的系统帐号即可进行攻击。
<*来源:Michal Zalewski (lcamtuf@echelon.pl)
链接:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00274.html
http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00263.html
http://www.opennet.ru/base/netsoft/1006623481_60.txt.html
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://cert.uni-stuttgart.de/archive/bugtraq/2001/02/msg00182.html
http://www.debian.org/security/2001/dsa 086
http://www.debian.org/security/2001/dsa-027
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 如果您正在运行SSH2,并允许兼容SSH1,NSFOCUS建议您暂时禁止SSH1。
* Michal Zalewski (lcamtuf@razor.bindview.com)也提供了下列的临时补丁程序:
SSH1 software:
8<---------------------patch for ssh-1.2.31---------------------------
--- deattack.c.orig Wed Feb 7 13:53:47 2001
+++ deattack.c Wed Feb 7 13:54:24 2001
@@ -79,7 +79,7 @@
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
{
static word16 *h = (word16 *) NULL;
- static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
register unsigned char *c;
8<---------------------patch for ssh-1.2.31---------------------------
Bjoern Groenvall's ossh (ftp://ftp.pdc.kth.se/pub/krypto/ossh/):
8<---------------------patch for ossh-1.5.7---------------------------
--- deattack.c.orig Wed Feb 7 14:11:23 2001
+++ deattack.c Wed Feb 7 14:11:46 2001
@@ -91,7 +91,7 @@
detect_attack(const unsigned char *buf, word32 len)
{
static u_int16_t *h = (u_int16_t *) NULL;
- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
const unsigned char *c, *d;
8<---------------------patch for ossh-1.5.7---------------------------
OpenSSH 2.2.0:
8<-------------------patch for openssh-2.2.0--------------------------
--- deattack.c.orig Wed Feb 7 14:18:23 2001
+++ deattack.c Wed Feb 7 14:19:33 2001
@@ -84,7 +84,7 @@
detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
{
static u_int16_t *h = (u_int16_t *) NULL;
- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
register unsigned char *c;
8<-------------------patch for openssh-2.2.0--------------------------
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-027-1)以及相应补丁:
DSA-027-1:New OpenSSH packages released
链接:http://www.debian.org/security/2001/dsa-027
补丁下载:
Source archives:
http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.diff.gz
http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.dsc
http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.2_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.2_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.2_m68k.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.2_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.2_alpha.deb
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-p
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
OpenSSH
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.openssh.com/
SSH Communications Security
---------------------------
厂商已经在最新版本的软件中修补了这个安全漏洞,SSH公司建议您升级到2.x版本并禁止兼容SSH1,请到如下网站下载最新版本:
http://www.ssh.com
浏览次数:8097
严重程度:0(网友投票)
绿盟科技给您安全的保障