From ciac@tholia.llnl.gov Fri Jan 30 19:50:51 1998
From: CIAC Mail User <ciac@tholia.llnl.gov>
To: ciac-bulletin@tholia.llnl.gov
Date: Thu, 29 Jan 1998 15:20:40 -0800 (PST)
Subject: CIAC Bulletin I-026: Vulnerability in ssh-agent

[  For Public Release  ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                           Vulnerability in ssh-agent

January 28, 1998 16:00 GMT                                        Number I-026
______________________________________________________________________________
PROBLEM:       A vulnerability exists in the SSH cryptographic login program.
PLATFORM:      Unix - SSH versions 1.2.17 through 1.2.21
               SSH prior to 1.2.17 are subject to a similar attack
               F-secure SSH prior ro 1.3.3
DAMAGE:        By exploiting this vulnerability, an unauthorized person on the
               same host may login to a remote server as a person utilizing
               SSH.
SOLUTION:      Upgrade or apply fixes listed below
______________________________________________________________________________
VULNERABILITY  You are urged to upgrade to a non-vulnerable version of SSH as
ASSESSMENT:    soon as possible or apply the fixes.
______________________________________________________________________________

[ Start Secure Networks Inc. ]

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                              January 20, 1998

                          Vulnerability in ssh-agent


This advisory details a vulnerabily in the SSH cryptographic login
program.  The vulnerability enables users to use RSA credentials
belonging to other users who use the ssh-agent program.  This
vulnerability may allow an attacker on the same local host to login
to a remote server as the user utilizing SSH.


Problem Description:
~~~~~~~~~~~~~~~~~~~~~

In order to avoid forcing users of RSA based authentication to go
through the trouble of retyping their pass phrase every time they wish
to use ssh, slogin, or scp, the SSH package includes a program called
ssh-agent, which manages RSA keys for the SSH program.  The ssh-agent
program creates a mode 700 directory in /tmp, and then creates an
AF_UNIX socket in that directory.  Later, the user runs the ssh-add
program, which adds his private key to the set of keys managed by the
ssh-agent program.  When the user wishes to access a service which
permits him to log in using only his RSA key, the SSH client connects
to the AF_UNIX socket, and asks the ssh-agent program for the key.

Unfortunately, when connecting to the AF_UNIX socket, the SSH client is
running as super-user, and performs insufficient permissions checking.
This makes it possible for users to trick their SSH clients into using
credentials belonging to other users.  The end result is that any user
who utilizes RSA authentication AND uses ssh-agent, is vulnerable.
Attackers can utilize this vulnerability to access remote accounts
belonging to the ssh-agent user.


Technical Details
~~~~~~~~~~~~~~~~~~

When communicating with the ssh-agent program, the SSH program issues a
connect() system call as super-user to access the AF_UNIX socket.  By
utilizing symbolic links, an attacker can cause the SSH program to
connect to an alternate user's AF_UNIX socket, and read their RSA
credentials.  After the credentials have been read, SSH will use these
credentials to logon to the remote system as the victim.


Vulnerable Systems:
~~~~~~~~~~~~~~~~~~~~

This vulnerability effects the Unix versions of SSH ONLY.

SSH for unix versions 1.2.17 through 1.2.21 are vulnerable if installed
with default permissions.  Versions of SSH prior to 1.2.17 are subject to
a similar (but different) attack.

F-Secure SSH for Unix systems prior to release 1.3.3 ARE vulnerable.

You can determine the version of SSH you are running by issuing the case
sensitive command:

% ssh -V

Version 1.1 of the windows-based SSH client sold by Data Fellows Inc.
under the F-Secure brand name is NOT vulnerable to this attack.

Versions 1.0 and 1.0a of Mac SSH are NOT vulnerable to this attack.


Fix Resolution:
~~~~~~~~~~~~~~~~

Non-commercial users:

If using the free non-commercial SSH distribution for Unix, administrators
are urged to upgrade to SSH 1.2.22 or later.  Updated versions of the free
unix SSH can be found at ftp://ftp.cs.hut.fi/pub/ssh


Commercial users:

F-Secure SSH version 1.3.3 fixes this security problem.  If you are using
the commercial Data Fellows SSH package and you have a support contract,
you can obtain SSH version 1.3.3 from your local retailer.

Users without a support contract can obtain a diff file which fixes
this problem.  This file can be obtained from:

http://www.DataFellows.com/f-secure/support/ssh/bug/su132patch.html


Workaround:

As a temporary workaround, administrators may remove the setuid bit from
the SSH binary.  This will prevent the attack from working, but will
disable a form of authentication documented as rhosts-RSA.  For example,
if your SSH binary is in the /usr/local/bin directory, the following
command will remove the setuid bit from the SSH binary:

# chmod u-s /usr/local/bin/ssh


Additional Information
~~~~~~~~~~~~~~~~~~~~~~~

SSH is a cryptographic rsh, rlogin, and rcp replacement.  SSH was
written by Tatu Ylonen <ylo@cs.hut.fi>.  For more information about the
noncommercial unix version of SSH, please see http://www.cs.hut.fi/ssh

Commercial versions of ssh are marketed by Data Fellows Inc.  For
information about the F-secure ssh derivatives sold by Data Fellows Inc,
please see http://www.DataFellows.com/f-secure

This vulnerability was discovered by David Sacerdote <davids@secnet.com>.

For more information regarding this advisory, contact Secure Networks
Inc. as <sni@secnet.com>.  A PGP public key is provided below if
privacy is required.

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

[ End Secure Networks Inc. ]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Secure Networks Inc. for the
information contained in this bulletin.
______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-016: SCO  /usr/bin/X11/scoterm Vulnerability
I-017: statd Buffer Overrun Vulnerability
I-018: FTP Bounce Vulnerability
I-019: Tools Generating IP Denial-of-Service Attacks
I-020: Cisco 7xx password buffer overflow - DOS
I-021: "smurf" IP Denial-of-Service Attacks
I-022: IBM AIX "routed" daemon Vulnerability
I-023: Macro Virus Update
I-024: CGI Security Hole in EWS1.1 Vulnerability
I-025: Windows NT based Web Servers File Access Vulnerability



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNM9tp7nzJzdsy3QZAQHloQQAiV9gJaSq9ug6v28CRPIPXiceNnFPRM5f
N5leaJSwE3OFYj68I7Cc8/Yw1vsK8F2i0PXs3w2hbrc3hfjStepuMKNB2iZYRiyz
ggv1VCjYZKOm1rUhRjcqay4Q/JYyCb/qbUEdawD1MfackgWKAvorCzI0eEm8cJ1P
jpPo33GB5bY=
=7/cr
-----END PGP SIGNATURE-----