Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

2001-02-10 Thread David Wagner 

Maybe there's a lesson to be learned from this SSH advisory: "Attacks
always get better; they never get worse" [1].

I spent a little time looking for Bleichenbacher attacks on SSH more than
two years ago.  There was obviously a side channel disclosing decryption
failures, but the best attack I could find was an an obscure 'academic
attack' that had fairly hefty resource requirements: 2^20 interactions
with the server, and ability to do TCP hijacking.

At the time, I interpreted this as only a very minor attack, due to the
strong assumptions required.  Back in June 1998, I fired off a warning
note to all the SSH folks I could think of [2], but quickly gave up and
forgot about the whole thing when I never heard back from anyone [3].

I was mistaken in my assessment.  We now know that Bleichenbacher
attacks are a real threat.  CORE SDI has described an insightful advance
in analysis, a clever trick that can be used to exploit the same side
channel that I wrongly considered useful only for academic attacks [4].
In short, I'm impressed by CORE SDI's contributions and humbled at
overlooking the possibility for practical attacks.

The lesson here seems clear.  I should have known better: the mere
presence of the side channel should have been enough justification
to justify fixing the code, despite the impractical nature of attacks
known then.  Attacks only get better, and once the attacker gets a foot
in the door with this sort of weakness, who knows where it will all end?
Next time, maybe I'll know better; in the meantime, I thought the lesson
might be worth mentioning.



[1] I'm indebted to Bruce Schneier for this observation; see his April
15th Crypto-gram newsletter.

[2] http://www.cs.berkeley.edu/~daw/tmp/ssh
Available upon request (my website seems to be down at the moment,
but hopefully will be back).

[3] As a side note, this indicates to me that the vulnerability reporting
process in place at SSH could probably be improved.  I sent several
repeated emails, but never heard once heard back from anyone, and soon
gave up.

[4] As one who has been previously guilty of perpetrating an 'academic
attack' or two (when your analysis starts with "first guess 192 bits of
the key", you know you're in the land of 'academic attacks'!), it seems
that I can err equally well in both directions...

Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

2001-02-09 Thread Iván Arce 

Hello,

Yet another error in the advisory released last Wednesday.

- Original Message -
From: "Iván Arce" <[EMAIL PROTECTED]>
Newsgroups: core.lists.bugtraq
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability


>   CORE SDI
> http://www.core-sdi.com
> SSH protocol 1.5 session key recovery vulnerability
>
>

...
> -- cut here --
>
> --- rsaglue.c   1999/12/10 23:27:25 1.8
> +++ rsaglue.c   2001/02/03 09:42:05
> @@ -264,7 +268,15 @@
>mpz_clear(&aux);
>
>if (value[0] != 0 || value[1] != 2)
> -fatal("Bad result from rsa_private_decrypt");
> +{
> +  static time_t last_kill_time = 0;
> +  if (time(NULL) - last_kill_time > 60 && getppid() != 1)
> +   {
> + last_kill_time = time(NULL);
> + kill(SIGALRM, getppid());

... This is wrong wrong wrong and will produce unpredictable results
on the server machine and does not fix the vulnerability either.
   The correct line is:

+ kill(getppid(),SIGALRM);

Thanks to Matt Power from the Bindview RAZOR Team for
pointing this out.

The advisory at our web page has been updateed to reflect this
change.


-ivan


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==[ CORE Seguridad de la Informacion S.A. ]=
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : [EMAIL PROTECTED]
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=


--- For a personal reply use [EMAIL PROTECTED]

Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

2001-02-08 Thread Niels Provos 

In message <073f01c09136$ddc04240$2e58a8c0@ffornicario>, =?iso-8859-1?Q?Iv=E1n_
Arce?= writes:
> OpenSSH
>  The vulnerability is present in OpenSSH up to version 2.3.0,
>  although it is not possible to exploit it  due to limits imposed
>  on the number of simultaneous connections the server is allowed
>  to handle,
This is a confusing way to put it.  This attack is not feasible on
OpenSSH.  The connection limits takes care of it.  If you are running
OpenSSH 2.3.0, you are completely fine.

Niels.

Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability (errata)

2001-02-08 Thread Iván Arce 

Just a small correction to the advisory just released:

>  http://www.core-sdi.com/bid/1949
>  http://www.core-sdi.com/bid/1426
>  http://www.core-sdi.com/bid/1323
>  http://www.core-sdi.com/bid/1006
>  http://www.core-sdi.com/bid/843
>  http://www.core-sdi.com/bid/660
>

should be:

  http://www.securityfocus.com/bid/1949
  http://www.securityfocus.com/bid/1426
  http://www.securityfocus.com/bid/1323
  http://www.securityfocus.com/bid/1006
  http://www.securityfocus.com/bid/843
  http://www.securityfocus.com/bid/660

sorry for the cut&paste glitch.
-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==[ CORE Seguridad de la Informacion S.A. ]=
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : [EMAIL PROTECTED]
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=





--- For a personal reply use [EMAIL PROTECTED]

Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

2001-02-08 Thread Dan Harkless 

=?iso-8859-1?Q?Iv=E1n_Arce?= <[EMAIL PROTECTED]> writes:
> Solution/Vendor Information/Workaround:
[...]
>  SSH.com
>   ssh-1 up to version 1.2.31 is vulnerable.
>   The official response from SSH.com follows:
>
>   -SSH1 is deprecated and SSH.com does not support it
>anymore, the official response is upgrade to SSH2
>   -The SSH1 compatibility code built into SSH-2.4.0 always executes a
>fresh copy of SSHD1, which causes the server key to be regenerated
>for every connection.  Thus, the attack is not at all feasible when
>using SSH1 with an SSH2 server in compatibility mode.

I run a version 1 ssh.com sshd out of inetd using Wietse Venema's tcpd
because tcp_wrappers support is incomplete/buggy in the daemon itself (at
least in 1.2.27 -- haven't re-tested the later versions to see if they fix
this).  The daemon linked with libwrap doesn't support the rfc931 action and
I've had problems with it being overly permissive when specifying allowed IP
ranges.

In this case:

ssh stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/sshd -i

as in the 2.4.0 SSH1 compatibility case mentioned above, there's a fresh
daemon for each connection.  Annoying waiting for the server key to be
generated for each connection if your machine isn't blazing fast, but a side
effect is that this attack is prevented.

--
Dan Harkless   | To prevent SPAM contamination, please
[EMAIL PROTECTED]  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.