Debian Bug report logs - #801530
openssh-client: Segfault on malformed keys - possible security impact

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: submit@bugs.debian.org

Subject: openssh-client: Segfault on malformed keys - possible security impact

Date: Sun, 11 Oct 2015 18:46:23 +0000

[Message part 1 (text/plain, inline)]

Package: openssh-client
Version: 1:6.7p1-5
Severity: important
Tags: security

Dear Maintainer,

I believe that the sanest way to generate an SSH fingerprint, for display
to users, etc, is via executing:

    ssh-keygen -l -f path/to/public.key

This is the rationale behind the following blog-post:

    http://blog.steve.org.uk/generating_fingerprints_from_ssh_keys.html

The gzipped key attached to this email, generated via magical-fuzzing,
will result in a segfault, and a suspicious EIP setting.  This may
indicate code-execution possiblities, and so should probably have
a CVE identifier assigned.

Demonstration is as simple as:

helsinki ~ $ ssh-keygen -l -f ~/key.trigger.pub
Segmentation fault

The backtrace shows EIP as 0x000055555556807e, which looks at least
partially controllable.  I've not yet delved into the details.



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.25
ii  libc6             2.19-18+deb8u1
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-19
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.1k-3+deb8u1
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

[key.trigger.pub.gz (application/gzip, attachment)]

Message #10 received at 801530@bugs.debian.org (full text, mbox, reply):

From: Steve <steve@steve.org.uk>

To: 801530@bugs.debian.org

Subject: Re: Bug#801530: Acknowledgement (openssh-client: Segfault on malformed keys - possible security impact)

Date: Sun, 11 Oct 2015 18:59:26 +0000

[Message part 1 (text/plain, inline)]

  FWIW this is reproducable upon both jessie and wheezy releases of
 Debian GNU/Linux.

  (I've only tested on amd64, though.)


Steve
-- 
http://www.steve.org.uk/

Message #15 received at 801530@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: 801530@bugs.debian.org

Subject: Re: Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

Date: Mon, 12 Oct 2015 09:07:50 +0000

[Message part 1 (text/plain, inline)]

  I'm almost embarrassed to say that I submitted the wrong reproducer
 in my original bug report.

  The previous key does trigger the fault, but it is needlessly complex.
 The attachment to this mail should be considered a saner example, as it
 still triggers the crash, but it is is significantly shorter.

Steve
-- 

[trimmed.key.pub (text/plain, attachment)]

Message #20 received at 801530@bugs.debian.org (full text, mbox, reply):

From: Jeff Epler <jepler@unpythonic.net>

To: 801530@bugs.debian.org

Subject: segfault is null-pointer dereference

Date: Mon, 12 Oct 2015 07:28:23 -0500

.. and the exciting-looking address is apparently a typical load address for
the ssh binary.

# testing with the larger key attached to the initial comment
(gdb) run
Starting program: /home/jepler/src/openssh-6.7p1/ssh-keygen -l -f /home/jepler/Downloads/key.trigger.pub

Program received signal SIGSEGV, Segmentation fault.
0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300, 
    cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
1201                    if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
(gdb) p ret
$1 = (struct sshkey *) 0x5555557c1300
(gdb) p ret->rsa
$2 = (RSA *) 0x0
(gdb) where
#0  0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300, 
    cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
#1  0x000055555558272d in sshkey_try_load_public (k=k@entry=0x5555557c1300, 
    filename=filename@entry=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", commentp=commentp@entry=0x7fffffff6b68) at authfile.c:331
#2  0x0000555555582f46 in sshkey_load_public (
    filename=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", keyp=keyp@entry=0x7fffffff6b00, commentp=0x7fffffff6b68)
    at authfile.c:380
#3  0x0000555555572f28 in key_load_public (filename=<optimized out>, 
    commentp=<optimized out>) at key.c:365
#4  0x000055555555c209 in do_fingerprint (pw=<optimized out>)
    at ssh-keygen.c:807
#5  0x0000555555560594 in main (argc=4, argv=0x0) at ssh-keygen.c:2503

It's worth noting that disabling ssh compatibility code around line 1194 stops
the testcase from segfaulting and doesn't prevent printing the fingerprint of
an RSA key I had on hand.  Ah, but I see that rsa keys and rsa1 keys are
different and this does break printing rsa1 keys.

@@sshkey_read
        case KEY_RSA1:
-#if WITH_SSH1
+#if 0
                /* Get number of bits. */

Message #25 received at 801530@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: 801530@bugs.debian.org

Subject: Re: Bug#801530: openssh-client: Segfault on malformed keys - possible security impact)

Date: Mon, 12 Oct 2015 19:14:32 +0000

> .. and the exciting-looking address is apparently a typical load address
> for the ssh binary.

  Yes.  It was in the ascii-range, which made me more optimistic.

  (I'm too used to using AAA..AAA as input and seeing 0x41. 0x55 looks
 close enough to be plausible.)

Steve
--

Message #30 received at 801530@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: 801530@bugs.debian.org

Subject: Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

Date: Tue, 13 Oct 2015 19:46:13 +0000

  The following patch seems to me to be a reasonable stab at fixing
 the NULL pointer dereference.

  Tested on Debian Jessie (amd64), against keys of type:

    * dsa
    * ecdsa
    * ed25519
    * rsa
    * rsa1

  On a valid key it shows the fingerprint.  On my bogus sample it shows:

  line 2 too long: 4...
  /home/steve/fuz/output/crashes/crash.min.pub is not a public key file.

  Patch below.  Feel free to include/rework.

Steve
-- 


--- sshkey.c.orig   2015-10-13 22:42:26.178252307 +0300
+++ sshkey.c    2015-10-13 22:42:58.781080815 +0300
@@ -1198,6 +1198,9 @@
            bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
            return SSH_ERR_INVALID_FORMAT;  /* Bad bit count... */
 
+                if ( ret->rsa == NULL )
+                    return SSH_ERR_INVALID_FORMAT;
+
        /* Get public exponent, public modulus. */
        if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
            return r;

Message #40 received at 801530@bugs.debian.org (full text, mbox, reply):

From: "USPS SameDay" <john.powers@mdou161vrn.ru>

To: 801530@bugs.debian.org

Subject: Notification status of your delivery (USPS 008905088)

Date: Thu, 5 Jan 2017 09:49:56 +0300

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that your item has been shipped at January 03.

Please review delivery label in attachment!

All the best,
John Powers,
USPS Mail Delivery Clerk.

[Undelivered-Package-008905088.zip (application/zip, attachment)]

Send a report that this bug log contains spam.