[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

libssh bugs found via fuzzing


Hi,

We are security researchers working at Orange Labs. Our area of research
is focused on vulnerability research with fuzzing techniques.

We found 3 issues in libssh 0.3.3 that can be used to crash the
samplesshd server remotely :
- missing NULL pointer check in crypt_set_algorithms_server
- integer overflow in buffer_get_data
- heap overflow in packet_decrypt, which seems to be caused by calling
DES_ede3_cbc_encrypt with a length that is not a multiple of 8

The attached files are gdb backtraces to help you fix those issues.

Best regards,
Jean Sigwald
Program received signal SIGSEGV, Segmentation fault.
0xb7dea8b1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7dea8b1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xb8055adc in buffer_get_data (buffer=0x829beb0, data=0x829cd8c, len=4294967295)
    at /home/jean/libssh/libssh-0.3.3/libssh/buffer.c:303
#2  0xb8055c32 in buffer_get_ssh_string (buffer=0x829beb0) at /home/jean/libssh/libssh-0.3.3/libssh/buffer.c:361
#3  0xb8060c21 in ssh_get_kex (session=0x829c630, server_kex=1) at /home/jean/libssh/libssh-0.3.3/libssh/kex.c:262
#4  0xb8078e36 in ssh_accept (session=0x829c630) at /home/jean/libssh/libssh-0.3.3/libssh/server.c:497
#5  0x0804903e in main (argc=1, argv=0xbfe13304) at /home/jean/libssh/libssh-0.3.3/samplesshd.c:67
(gdb) 

Program received signal SIGSEGV, Segmentation fault.
0xb7d45078 in strcmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7d45078 in strcmp () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7fcd420 in crypt_set_algorithms_server (session=0x882f630) at /home/jean/libssh/libssh-0.3.3/libssh/wrapper.c:980
#2  0xb7fd5e59 in ssh_accept (session=0x882f630) at /home/jean/libssh/libssh-0.3.3/libssh/server.c:502
#3  0x0804903e in main (argc=1, argv=0xbfa18634) at /home/jean/libssh/libssh-0.3.3/samplesshd.c:67
(gdb) frame 1
#1  0xb7fcd420 in crypt_set_algorithms_server (session=0x882f630) at /home/jean/libssh/libssh-0.3.3/libssh/wrapper.c:980
980	    if(!strcmp(match,"ssh-dss"))
(gdb) print match
$1 = 0x0
(gdb) 

*** glibc detected *** /home/jean/libssh/build/samplesshd: free(): invalid next size (fast): 0x0821a370 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7db8604]
/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7dba5b6]
/home/jean/libssh/build/libssh/libssh.so.3(packet_decrypt+0x12c)[0xb8035c9c]
/home/jean/libssh/build/libssh/libssh.so.3[0xb804332e]
/home/jean/libssh/build/libssh/libssh.so.3(packet_read+0x11)[0xb804368d]
/home/jean/libssh/build/libssh/libssh.so.3(ssh_message_get+0x76)[0xb8040d38]
/home/jean/libssh/build/samplesshd(main+0x16c)[0x8049076]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7d5f775]
/home/jean/libssh/build/samplesshd[0x8048e11]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:01 1336583    /home/jean/libssh/build/samplesshd
0804a000-0804b000 r--p 00001000 08:01 1336583    /home/jean/libssh/build/samplesshd
0804b000-0804c000 rw-p 00002000 08:01 1336583    /home/jean/libssh/build/samplesshd
08215000-08236000 rw-p 00000000 00:00 0          [heap]
b7c00000-b7c21000 rw-p 00000000 00:00 0 
b7c21000-b7d00000 ---p 00000000 00:00 0 
b7d44000-b7d45000 rw-p 00000000 00:00 0 
b7d45000-b7d47000 r-xp 00000000 08:01 2310308    /lib/tls/i686/cmov/libdl-2.9.so
b7d47000-b7d48000 r--p 00001000 08:01 2310308    /lib/tls/i686/cmov/libdl-2.9.so
b7d48000-b7d49000 rw-p 00002000 08:01 2310308    /lib/tls/i686/cmov/libdl-2.9.so
b7d49000-b7ea5000 r-xp 00000000 08:01 2310305    /lib/tls/i686/cmov/libc-2.9.so
b7ea5000-b7ea6000 ---p 0015c000 08:01 2310305    /lib/tls/i686/cmov/libc-2.9.so
b7ea6000-b7ea8000 r--p 0015c000 08:01 2310305    /lib/tls/i686/cmov/libc-2.9.so
b7ea8000-b7ea9000 rw-p 0015e000 08:01 2310305    /lib/tls/i686/cmov/libc-2.9.so
b7ea9000-b7eac000 rw-p 00000000 00:00 0 
b7eac000-b7fdf000 r-xp 00000000 08:01 2310421    /lib/i686/cmov/libcrypto.so.0.9.8
b7fdf000-b7fe7000 r--p 00132000 08:01 2310421    /lib/i686/cmov/libcrypto.so.0.9.8
b7fe7000-b7ff4000 rw-p 0013a000 08:01 2310421    /lib/i686/cmov/libcrypto.so.0.9.8
b7ff4000-b7ff9000 rw-p 00000000 00:00 0 
b7ff9000-b800d000 r-xp 00000000 08:01 2310282    /lib/libz.so.1.2.3.3
b800d000-b800e000 r--p 00013000 08:01 2310282    /lib/libz.so.1.2.3.3
b800e000-b800f000 rw-p 00014000 08:01 2310282    /lib/libz.so.1.2.3.3
b8010000-b801d000 r-xp 00000000 08:01 2310208    /lib/libgcc_s.so.1
b801d000-b801e000 r--p 0000c000 08:01 2310208    /lib/libgcc_s.so.1
b801e000-b801f000 rw-p 0000d000 08:01 2310208    /lib/libgcc_s.so.1
b801f000-b8020000 rw-p 00000000 00:00 0 
b8020000-b8055000 r-xp 00000000 08:01 1435266    /home/jean/libssh/build/libssh/libssh.so.3.3.0
b8055000-b8056000 r--p 00034000 08:01 1435266    /home/jean/libssh/build/libssh/libssh.so.3.3.0
b8056000-b8057000 rw-p 00035000 08:01 1435266    /home/jean/libssh/build/libssh/libssh.so.3.3.0
b8057000-b805c000 rw-p 00000000 00:00 0 
b805c000-b805d000 r-xp 00000000 00:00 0          [vdso]
b805d000-b8079000 r-xp 00000000 08:01 2310158    /lib/ld-2.9.so
b8079000-b807a000 r--p 0001b000 08:01 2310158    /lib/ld-2.9.so
b807a000-b807b000 rw-p 0001c000 08:01 2310158    /lib/ld-2.9.so
bfb19000-bfb2e000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0xb805c430 in __kernel_vsyscall ()
(gdb) bt
#0  0xb805c430 in __kernel_vsyscall ()
#1  0xb7d746d0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7d76098 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7db224d in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0xb7db8604 in ?? () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7dba5b6 in free () from /lib/tls/i686/cmov/libc.so.6
#6  0xb8035c9c in packet_decrypt (session=0x8218630, data=0x8219a88, len=10)
    at /home/jean/libssh/libssh-0.3.3/libssh/crypt.c:89
#7  0xb804332e in packet_read2 (session=0x8218630) at /home/jean/libssh/libssh-0.3.3/libssh/packet.c:150
#8  0xb804368d in packet_read (session=0x8218630) at /home/jean/libssh/libssh-0.3.3/libssh/packet.c:375
#9  0xb8040d38 in ssh_message_get (session=0x8218630) at /home/jean/libssh/libssh-0.3.3/libssh/messages.c:670
#10 0x08049076 in main (argc=1, argv=0xbfb2d5d4) at /home/jean/libssh/libssh-0.3.3/samplesshd.c:72
(gdb) 


Follow-Ups:
Re: libssh bugs found via fuzzingAndreas Schneider <mail@xxxxxxxxxxxx>
Re: libssh bugs found via fuzzingAris Adamantiadis <aris@xxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org