SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: LSH: Buffer overrun and remote root compromise in lshd Date: Sep 20 2003 8:58AM Author: Message-ID: All lsh versions prior to lsh-1.4.3, as well as lsh-1.5, lsh-1.5.1 and lsh-1.5.2, have a *buffer overrun* bug. This bug can lead to remote root compromise of the lshd daemon, and it can most likely also let a malicious server execute arbitrary code in the lsh client. And the affected code is run before either host or user autentication. The stable release lsh-1.4.3 and the development release lsh-1.5.3 both fix this bug, and two other bugs of similar character (but different consequences) which were found when greping the code for similar mistakes. All users of lsh and lshd should upgrade, and in case you can't upgrade lshd immediately, you are *strongly* advised to disable lshd service. Credit is due to Bennett Todd, who reported a crash which turned out to be a buffer overrun. Example exploit programs have been posted to the full-disclosure mailinglist. NEWS for lsh-1.4.3: Fixed heap buffer overrun with potential remote root compromise. Initial bug report by Bennett Todd. Fixed a similar bug in the check for channel number allocation failure in the handling of channel_open, and in the experimental client SRP code. Backported lshd setsid fix from lsh-1.5. Should call setsid both in the pty and non-pty cases. Updated the code to compile with automake-1.7.3 and scsh-0.6.0. The NEWS entry for lsh-1.5.3 is similar, but since it belongs to the development branch, it also contains some new experimental code, News for the 1.5.3 release Fixed heap buffer overrun with potential remote root compromise. Initial bug report by Bennett Todd. Fixed a similar bug in the check for channel number allocation failure in the handling of channel_open, and in the experimental client SRP code. lshd now has an experimental mode similar to telnet, where it accepts the 'none' authentication method and automatically disables services such as X and TCP forwarding. This can be useful in environment where it's required that /bin/login or some other program handle authentication and session setup (e.g. handle security contexts and so on). If you need a bug-fix-only update, you are advised to either stay with lsh-1.4.3, or apply the relevant three lines of the 1.4.3 patch, included below, to your 1.5.2 tree. The releases can be downloaded from http://www.lysator.liu.se/~nisse/archive/lsh-1.4.3.tar.gz http://www.lysator.liu.se/~nisse/archive/lsh-1.4.2-1.4.3.diff.gz http://www.lysator.liu.se/~nisse/archive/lsh-1.5.3.tar.gz ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.3.tar.gz ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.2-1.4.3.diff.gz ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.5.3.tar.gz Regards, /Niels diff -urN lsh-1.4.2/src/channel_commands.c lsh-1.4.3/src/channel_commands.c --- lsh-1.4.2/src/channel_commands.c Thu Sep 27 08:29:44 2001 +++ lsh-1.4.3/src/channel_commands.c Fri Sep 19 14:15:37 2003 @@ -57,6 +57,7 @@ make_channel_open_exception( SSH_OPEN_RESOURCE_SHORTAGE, "Allocating a local channel number failed.")); + return; } channel = NEW_CHANNEL(self, connection, index, &request); diff -urN lsh-1.4.2/src/client_keyexchange.c lsh-1.4.3/src/client_keyexchange.c --- lsh-1.4.2/src/client_keyexchange.c Wed Mar 13 17:05:28 2002 +++ lsh-1.4.3/src/client_keyexchange.c Fri Sep 19 16:37:59 2003 @@ -268,6 +268,7 @@ { lsh_string_free(salt); disconnect_kex_failed(connection, "Bye"); + return; } mpz_init(x); @@ -282,8 +283,11 @@ mpz_clear(x); if (!response) - PROTOCOL_ERROR(connection->e, - "SRP failure: Invalid public value from server."); + { + PROTOCOL_ERROR(connection->e, + "SRP failure: Invalid public value from server."); + return; + } C_WRITE_NOW(connection, response); --- lsh-1.4.2/src/read_line.c Fri Aug 4 01:51:32 2000 +++ lsh-1.4.3/src/read_line.c Fri Sep 19 14:22:29 2003 @@ -98,6 +98,8 @@ /* Too long line */ EXCEPTION_RAISE(self->e, make_protocol_exception(0, "Line too long.")); + + return available; } /* Ok, now we have a line. Copy it into the buffer. */ _______________________________________________ lsh-bugs mailing list lsh-bugs lists lysator liu se http://lists.lysator.liu.se/mailman/listinfo/lsh-bugs Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus