Vakawana kusagadzikana muOpenSSH 9.1 inobvumira kupfuura malloc

Darkcrizt

5 maminitsi

ngozi

Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.

Munguva pfupi yapfuura Qualy's (kambani yetekinoroji inonyanya kuchengetedzwa kwegore) akazivisa wawanei nzira yekunzvenga malloc uye dziviriro isina kaviri yekutanga crossover uchishandisa kusagadzikana muOpenSSH 9.1.

Kusvika parizvino zvakatemwa kuti Kusagadzikana kwakadaro kunongova "theretical", sezvo zvisingabviri kugadzira kushandiswa kwekushanda. Panguva imwecheteyo, mukana wekugadzira kushandiswa kwekushanda kunoramba kuri mubvunzo mukuru.

Nezvekusagadzikana, kunotaurwa izvozvo hunyengeri hwekunzvenga dziviriro zvakapetwa kaviri uye shandisa mushure mekusununguka kubva malloc ndiko kugoverazve ndangariro yakanga yakagarwa by options.kex_algorithms kana yangosununguka.

Kubva pamaonero aMalloc, hapana kuedza kunoitwa kusunungura, kuverenga, kana kunyora ndangariro yatova yemahara; kubva panzvimbo ye sshd, zvisinei, kurwiswa kweaasing kunoitika, sezvo zvinongedzo zviviri zvakasiyana kuzvinhu zviviri zvakasiyana zvichireva kune imwechete chunk yendangariro, uye kunyorera kune chimwe chinhu kunodarika chimwe chinhu.

Izvi zvinovhura nyika yemikana.

Takatanga kuferefeta kwedu muDebian bookworm (iyo inoshandisa iyo glibc kodhi
malloc), asi isu takazochinja kuenda kuOpenBSD 7.2, nekuti OpenBSD
malloc (zvisinei nehurongwa hwayo hwekudzivirira) ine zvinhu zviviri izvo
ita kuti iwedzere kunakidza kune iyi yemahara kaviri bug:

Kusagadzikana kunokonzerwa nekusunungurwa kaviri yenzvimbo yekurangarira mu pre-authentication stage. Kugadzira mamiriro ekusagadzikana, ingochinja banner yeSSH mutengi ku "SSH-2.0-FuTTYSH_9.1p1" (kana imwe yekare SSH client) kuti uwane kuseta "SSH_BUG_CURVE25519PAD" uye "SSH_OLD_DHGEX" mireza Mushure mekuseta mireza iyi, ndangariro ye "options.kex_algorithms" buffer inosunungurwa kaviri .

Qualys vatsvakurudzi, munguva yekushandiswa kwekusagadzikana, vakakwanisa kuwana kutonga pamusoro peiyo processor rejista "% rip", A ine chinongedzo kune chinotevera chirevo chinozoitwa. Iyo nzira yekushandisa yakagadziridzwa inobvumira kutonga kuendeswa kune chero nzvimbo munzvimbo yekero ye sshd maitiro munzvimbo yekunze yeOpenBSD 7.2 nharaunda, iyo inotakura nekusingaperi neOpenSSH 9.1.

Kurumidza kugadzirisa: Takakwanisa kuwana zvisizvo kutonga kwe "rip" kuburikidza neiyi bug (kureva isu tinogona kusvetuka chero kwatinoda mune sshd's kero nzvimbo) pane isina kuisirwa kuisirwa kweOpenBSD 7.2 (inomhanya
OpenSSH 9.1 nekusingaperi). Uku hakusi kupera kwenyaya: izvi eNezve nhanho yekutanga, svetuka iyo malloc uye kaviri varindi.

Tevere nhanho inogona kana kusakwanisika zvachose, ndeiyi:

- nhanho yechipiri, ita zvekupokana kodhi kunyangwe ASLR, NX uye ROP
dziviriro (izvi zvingangoda kuburitswa kweruzivo, kana
nemhosho imwe cheteyo kana kuti nekukanganisa kwechipiri);

- nhanho 3, kupukunyuka sshd sandbox (kuburikidza nediki bug, kungave mukati
iyo yakaropafadzwa mubereki maitiro kana mukuderedzwa kernel kurwisa
pamusoro).

Zvinocherechedzwa kuti prototype yakatsanangurwa ndeyekuitwa kwekutanga chete nhanho yekurwiswa: Kuti ugadzire kushandiswa kwekushanda, unofanirwa kupfuura iyo ASLR, NX, uye ROP nzira dzekudzivirira, uye kubuda kunze kwebhokisi rejecha, izvo zvisingaite.

Kugadzirisa dambudziko rekunzvenga ASLR, NX, uye ROP kunoda kuwana ruzivo rwekero, iyo inogona kuitwa nekuona imwe njodzi inotungamira mukuburitswa kweruzivo. Bug mumubereki ane rombo kana kernel process inogona kubatsira kubuda mubhokisi rejecha.

Kusagadzikana kunonzi kushanda sezvinotevera:

  • -Kutanga, sarudzo dzemahara.kex_algorithms mucomat_kex_proposal(), kunyepedzera kuti ssh mutengi ndeyekare "FuTTY" mutengi.
  • -Chechipiri, chidimbu chakagarwa nesarudzo.kex_algorithms inoiswazve, ine chimiro EVP_AES_KEY ine saizi 264 bytes, ichisarudza "aes128-ctr" cipher panguva yekiyi yekutsinhana chikamu. Kuiswazve uku kunoitika nemukana we ~ 1/32.
  • - Chechitatu, kusunungura (zvakare) chunk yaive yakagarwa nesarudzo.kex_algorithms (uye ikozvino yakagarwa neEVP_AES_KEY chimiro) mu kex_assemble_names() (kuburikidza nemm_getpwnamallow()). Izvi zvinoitika kana uye chete kana yekutanga byte yechunk iri '+', '-', kana '^' (zvikasadaro kex_assemble_names() ikadzosa kukanganisa uye fatal_fr() inodanwa).
  • - Chechina, chunk yanga yakagarwa nesarudzo.kex_algorithms (uye ichiri kutaurwa seEVP_AES_KEY chimiro izvozvi) inopihwazve, iine 300 'A' byte tambo, "authctxt-> mushandisi" kana "authctxt -> maitiro" panguva chikamu chechokwadi. Kuiswa patsva uku, uko kunobvisa chose EVP_AES_KEY chimiro ne'A' bytes, kunoitika pamwe chete ne ~2/32.
  • - Chekupedzisira, inosvetukira ku 0x4141414141414141 sshd painodaidza EVP_Cipher(), nekuti iyo EVP_AES_KEY chimiro chine chebasa chinonongedza chakadhindwa ne 'A' bytes yedu uye inodaidzwa ne CRYPTO_ctr128_encrypt_ctr32() (kuburikidza neE)

Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako