J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: SSH CRC-32 Compensation Attack Detector Vulnerability

Severity: CRITICAL

Description:

Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications.

In 1998, cryptanalysts at CORE-SDI discovered a design flaw that could allow compromise of connections using version 1.5 of the SSH protocol. This design flaw had to do the CRC checks made on blocks of ciphertext.

In order to work-around the flaw, code was written to detect such attacks and abort the connection if they were detected.

Unfortunately this code, which made it into the 'main' source-tree of SSH-1 contains a possibly exploitable integer-overflow condition. The offending code is in 'deattack.c',the CRC32 compensation attack detector, shipped with versions of SSH1 1.2.24 and above.

The detect_attack() function has a number of local variables that are used to store data such as the length of the packet, ciphertext block, etc. While most are 32 bit, one of these local integer variables ('n') used is 16 bits wide.

During the execution of the function, this 16 bit integer is assigned the value of another, 32 bit variable ('l'). This is to set the 'n' variable to the length of the packet being checked.

The 16 bit variable 'n' is then used as the parameter to the malloc() function.

Under normal circumstances, with reasonably sized SSH data packets, this process goes along without any problems. The problem of assigning values represented by 32 bits to a 16 bit variable occurs when large packets are recieved. It is possible to make the 16-bit 'n' equivelent to 0 by creating a packet with a size that is represented in 32 bits with the 16 least significant bits set to zero.

The variable 'n' is then passed to the malloc() function in an attempt to allocate memory on the heap. Most modern malloc() implementations, when passed a length value of 0, will not fail and return a valid pointer into memory on the heap.

With malloc() having returned successfully, the function begins writing to the memory assumed to be allocated. The data that is written is integers representing the count of ciphertext blocks, the 'j' variable in the function source code. Since the words that are written are the value of a counter, an attacker would have to create the value to write through iterating the main loop 'x' amount of times. For example, if an attacker wanted to write the value '1000' to the location h[i], they would have to cause the main loop to iterate 1000 times. This is not a big deal since the main loop iterates once for every block of ciphertext.

One way that this vulnerability could be exploited is through writing custom values overtop other malloc headers on the heap. When this is accomplished, it becomes possible to exploit this in a manner typical to heap corruption vulnerabilities.

The attacker may be able to corrupt the header in a manner that will cause arbitrary words in process memory to be overwritten with supplied values when free() is called on them.

This could lead to the execution of arbitrary, supplied code if critical areas of memory are overwritten (such as function return addresses).

It may also be possible for an attacker to write to other areas of memory, such as the stack. This could be accomplished by creating an index value ('i') that will cause these other areas of memory to be referenced and then written to, as though they were the allocated memory in the heap.

An extremely sophisticated exploit could, in theory, overwrite return addresses or other critical data in the stack region. This could lead to the execution of arbtrary code with superuser privileges.

**UPDATE**:

There have been reports suggesting that exploitation of this vulnerability may be widespread.

Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.

Administrators are strongly urged to ensure they are not running vulnerable versions of SSH.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.

** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.

Affected Products:

  • Blue Coat Systems Security Gateway OS 2.1.5001 SP1
  • Cisco Catalyst 6000 6.2.0(0.110)
  • Cisco IOS 12.0S
  • Cisco IOS 12.10S
  • Cisco IOS 12.1DB
  • Cisco IOS 12.1DC
  • Cisco IOS 12.1E
  • Cisco IOS 12.1EC
  • Cisco IOS 12.1EX
  • Cisco IOS 12.1EY
  • Cisco IOS 12.1EZ
  • Cisco IOS 12.1T
  • Cisco IOS 12.1XA
  • Cisco IOS 12.1XB
  • Cisco IOS 12.1XC
  • Cisco IOS 12.1XD
  • Cisco IOS 12.1XE
  • Cisco IOS 12.1XF
  • Cisco IOS 12.1XG
  • Cisco IOS 12.1XH
  • Cisco IOS 12.1XI
  • Cisco IOS 12.1XJ
  • Cisco IOS 12.1XK
  • Cisco IOS 12.1XL
  • Cisco IOS 12.1XM
  • Cisco IOS 12.1XP
  • Cisco IOS 12.1XQ
  • Cisco IOS 12.1XR
  • Cisco IOS 12.1XS
  • Cisco IOS 12.1XT
  • Cisco IOS 12.1XU
  • Cisco IOS 12.1XV
  • Cisco IOS 12.1XY
  • Cisco IOS 12.1YA
  • Cisco IOS 12.1YB
  • Cisco IOS 12.1YC
  • Cisco IOS 12.1YD
  • Cisco IOS 12.1YF
  • Cisco IOS 12.2
  • Cisco IOS 12.2T
  • Cisco IOS 12.2XA
  • Cisco IOS 12.2XD
  • Cisco IOS 12.2XE
  • Cisco IOS 12.2XH
  • Cisco IOS 12.2XQ
  • Cisco PIX Firewall 5.2.0(5)
  • Cisco PIX Firewall 5.3.0(1)
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • NetBSD NetBSD 1.5.0
  • NetScreen ScreenOS 2.6.1
  • NetScreen ScreenOS 2.6.1r1
  • NetScreen ScreenOS 2.6.1r2
  • NetScreen ScreenOS 2.6.1r3
  • NetScreen ScreenOS 2.6.1r4
  • NetScreen ScreenOS 2.6.1r5
  • NetScreen ScreenOS 3.0.1r2
  • NetScreen ScreenOS 3.0.3r1.1
  • NetScreen ScreenOS 3.1.0r1
  • NetScreen ScreenOS 3.1.0r2
  • NetScreen ScreenOS 3.1.0r9
  • NetScreen ScreenOS 3.1.1r2
  • OpenSSH OpenSSH 1.2.2
  • OpenSSH OpenSSH 1.2.3
  • OpenSSH OpenSSH 2.1.0
  • OpenSSH OpenSSH 2.1.1
  • OpenSSH OpenSSH 2.2.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • SSH Communications Security SSH 1.2.24
  • SSH Communications Security SSH 1.2.25
  • SSH Communications Security SSH 1.2.26
  • SSH Communications Security SSH 1.2.27
  • SSH Communications Security SSH 1.2.28
  • SSH Communications Security SSH 1.2.29
  • SSH Communications Security SSH 1.2.30
  • SSH Communications Security SSH 1.2.31
  • Secure Computing SafeWord Agent For SSH 1.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.