Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 020163.html (Request Expert securityfocus.com Support)

OpenSSH segfault (Debian distro)

From: Andrei Mikhailovsky <andrei(at)arhont.com>
Date: Fri Feb 07 2003 - 04:35:45 EST
('binary' encoding is not supported, stored as-is)

Arhont Ltd - Information Security

Arhont Advisory by: Andrei Mikhailovsky
(www.arhont.com) 

Contact details:                a.mikhailovsky@arhont.com
Advisory:                       OpenSSH server (Debian
distribution)
Software version:               OpenSSH_3.5p1
Distribution Specific:          Other
versions/distributions might be vulnerable
Distribution site:              
http://www.debian.org
Distribution contact:           submit@bugs.debian.org
Contact Date:                   23/01/2003

DETAILS:
Debian GNU/Linux 3.0 (unstable tree) OpenSSH server version 3.5p1 has segfaulted during the client connection. As suggested by the Debian team, this is most likely related to the ldap implementation and libpam-ldap. It has been verified that Debian 3.0
(woody) and testing trees are not vulnerable. The
tested vulnerable software versions are as follows: 

OpenSSH                         3.5p1-4
ldap-utils/slapd/libldap2-tls   2.0.27-3
libpam-ldap                     156-1

The possible exploitations of this vulnerability has not been tested. Below, you can find debugging output from the sshd -ddd command:

whale:/etc/ssh# sshd -ddd 

debug1: sshd version OpenSSH_3.5p1 Debian 1:3.5p1-4
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging Connection from 127.0.0.1 port 44030

debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 Debian 1:3.5p1-4

debug1: match: OpenSSH_3.5p1 Debian 1:3.5p1-4 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

Do you need help?X

debug1: Local version string SSH-2.0-OpenSSH_3.5p1 Debian 1:3.5p1-4

debug2: Network child is on pid 17561

debug3: preauth child monitor started

debug3: privsep user:group 103:65534

debug1: permanently_set_uid: 103/65534

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

Do you need more help?X

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:

Can we help you?X

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

Can't find what you're looking for?X

debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_init: found hmac-md5

Don't know where to look next?X

debug1: kex: client->server aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug3: mm_request_send entering: type 0

debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI

debug3: mm_request_receive_expect entering: type 1

debug3: mm_request_receive entering

Confused? Frustrated?X

debug3: mm_request_receive entering

debug3: monitor_read: checking request 0

debug3: mm_answer_moduli: got parameters: 1024 2048 8192

debug3: mm_request_send entering: type 1

debug2: monitor_read: 0 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_choose_dh: remaining 0

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

debug1: dh_gen_key: priv key bits set: 133/256

debug1: bits set: 1574/3191

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: bits set: 1586/3191

debug3: mm_key_sign entdebug3: mm_request_send entering: type 4

debug3: monitor_read: checking request 4

debug3: mm_answer_sign

debug3: mm_answer_sign: signature 0x8092ec0(143)

Do you need help?X

debug3: mm_request_send entering: type 5

debug2: monitor_read: 4 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN

debug3: mm_request_receive_expect entering: type 5

debug3: mm_request_receive entering

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug1: kex_derive_keys

Do you need more help?X

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user --------- service ssh-connection method none

debug1: attempt 0 failures 0

Can we help you?X

debug3: mm_getpwnamallow entering

debug3: mm_request_send entering: type 6

debug3: monitor_read: checking request 6

debug3: mm_answer_pwnamallow

debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1

debug3: mm_request_send entering: type 7

debug2: monitor_read: 6 used once, disabling now

debug3: mm_request_receive entering

Can't find what you're looking for?X

debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM

debug3: mm_request_receive_expect entering: type 7

debug3: mm_request_receive entering

debug2: input_userauth_request: setting up authctxt for

debug3: mm_start_pam entering

debug3: mm_request_send entering: type 41

debug3: monitor_read: checking request 41

debug1: Starting up PAM with username "---------"

Don't know where to look next?X

debug3: Trying to reverse map address 127.0.0.1.

debug1: PAM setting rhost to "whale"

debug2: monitor_read: 41 used once, disabling now

debug3: mm_request_receive entering

debug3: mm_inform_authserv entering

debug3: mm_request_send entering: type 3

debug3: monitor_read: checking request 3

debug3: mm_answer_authserv: service=ssh-connection, style=

Confused? Frustrated?X

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug2: debug3: mm_auth_password entering

debug3: mm_request_send entering: type 10

debug3: monitor_read: checking request 10

debug3: mm_answer_authpassword: sending result 0

debug3: mm_request_send entering: type 11

Failed none for --------- from 127.0.0.1 port 44030 ssh2

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

debug3: mm_request_receive entering

debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11

debug3: mm_request_receive entering

debug3: mm_auth_password: user not authenticated

Failed none for ---------- from 127.0.0.1 port 44030 ssh2

debug1: userauth-request for user --------- service ssh-connection method keyboard-interactive

debug1: attempt 1 failures 1

debug2: input_userauth_request: try method keyboard-interactive

Do you need help?X

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=--------- devs=

debug1: kbdint_alloc: devices ''

debug2: auth2_challenge_start: devices

Failed keyboard-interactive for --------- from 127.0.0.1 port 44030 ssh2

debug1: userauth-request for user --------- service ssh-connection method password
debug1: attempt 2 failures 2

debug2: input_userauth_request: try method password

debug3: mm_auth_password entering

Do you need more help?X

debug3: mm_request_send entering: type 10

debug3: mm_auth_password: waiting for
MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11

debug3: mm_request_receive entering

debug3: monitor_read: checking request 10

debug1: Calling cleanup 0x806b318(0x0)

Segmentation fault

Debian team has been contacted in regards to this issue. The patches are not yet available from Debian distributor.

According to the Arhont Ltd policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing them to the public domains (such as CERT and BUGTRAQ).

Can we help you?X

If you would like to get more information about this issue, please do not hesitate to contact Arhont team.

Kind Regards,

Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0xFF67A4F4 Received on Fri Feb 7 11:34:03 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library