AUSCERT External Security Bulletin Redistribution

                 ESB-2002.117 -- FreeBSD-SA-02:13.openssh
                OpenSSH contains exploitable off-by-one bug
                               8 March 2002


        AusCERT Security Bulletin Summary

Product:                openssh port prior to 3.0.2_1
                        openssh-portable port prior to 3.0.2p1_1
Vendor:                 FreeBSD
Operating System:       FreeBSD 4.4-RELEASE, 4.5-RELEASE
                        FreeBSD 4.5-STABLE prior to 2002-03-07
Platform:               i386
Impact:                 Root Compromise
                        Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


FreeBSD-SA-02:13                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          OpenSSH contains exploitable off-by-one bug

Category:       core, ports
Module:         openssh, ports_openssh, openssh-portable
Announced:      2002-03-07
Credits:        Joost Pol <joost@pine.nl>
Affects:        FreeBSD 4.4-RELEASE, 4.5-RELEASE
                FreeBSD 4.5-STABLE prior to the correction date
                openssh port prior to openssh-3.0.2_1
                openssh-portable port prior to openssh-portable-3.0.2p1_1
Corrected:      2002-03-06 13:57:54 UTC (RELENG_4)
                2002-03-07 14:40:56 UTC (RELENG_4_5)
                2002-03-07 14:40:07 UTC (RELENG_4_4)
                2002-03-06 13:53:38 UTC (ports/security/openssh)
                2002-03-06 13:53:39 UTC (ports/security/openssh-portable)
CVE:            CAN-2002-0083
FreeBSD only:   NO

I.   Background

OpenSSH is a free version of the SSH protocol suite of network
connectivity tools.  OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.

II.  Problem Description

OpenSSH multiplexes `channels' over a single TCP connection in order
to implement X11, TCP, and agent forwarding.  An off-by-one error in
the code which manages channels can result in a reference to memory
beyond that allocated for channels.  A malicious client or server may
be able to influence the contents of the memory so referenced.

III. Impact

An authorized remote user (i.e. a user that can successfully
authenticate on the target system) may be able to cause sshd to
execute arbitrary code with superuser privileges.

A malicious server may be able to cause a connecting ssh client to
execute arbitrary code with the privileges of the client user.

IV.  Workaround

Do one of the following:

1) The FreeBSD malloc implementation can be configured to overwrite
   or `junk' memory that is returned to the malloc arena.  Due to the
   details of exploiting this bug, configuring malloc to junk memory
   will thwart the attack.

   To configure a FreeBSD system to junk memory, execute the following
   commands as root:

   # ln -fs J /etc/malloc.conf

   Note that this option will degrade system performance.  See the
   malloc(3) man page for full details on malloc options.

2) Disable the base system sshd by executing the following command as

   # kill `cat /var/run/sshd.pid`

   Be sure that sshd is not restarted when the system is restarted
   by adding the following line to the end of /etc/rc.conf:



   Deinstall the openssh or openssh-portable ports if you have one of
   them installed.

V.   Solution

Do one of the following:

[For OpenSSH included in the base system]

1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2,
   or 4.5-STABLE after the correction date and rebuild.

2) FreeBSD 4.x systems prior to the correction date:

The following patch has been verified to apply to FreeBSD 4.4-RELEASE,
4.5-RELEASE, and 4.5-STABLE dated prior to the correction date.  It
may or may not apply to older, unsupported versions of FreeBSD.

Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

[For the OpenSSH ports]

One of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package obtained from
the following directory:


[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.

3) Download a new port skeleton for the openssh or openssh-portable
port from:


and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:


VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- - -------------------------------------------------------------------------
[Base system]
  HEAD                                                                1.8
  HEAD                                                               1.10

ports/security/openssh/Makefile                                      1.81
ports/security/openssh/files/patch-channels.c                         1.1
ports/security/openssh-portable/Makefile                             1.21
ports/security/openssh-portable/files/patch-channels.c                1.1
- - -------------------------------------------------------------------------

Branch                       Version string
- - -------------------------------------------------------------------------
HEAD                         OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4                     OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_5                   OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_4                   OpenSSH_2.3.0 FreeBSD localisations 20020307
- - -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the
following command:

  % /usr/sbin/sshd -?

The version string is also displayed when a client connects to the

To view the version string of the OpenSSH client, execute the
following command:

  % /usr/bin/ssh -V

VII. References


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0083 to this issue.
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key