[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BFS-SA-2015-002: OpenSSH PAM Privilege Separation Vulnerabilities



Blue Frost Security GmbH
https://www.bluefrostsecurity.de/               research(at)bluefrostsecurity.de
BFS-SA-2015-002                                                   13-August-2015
________________________________________________________________________________

Affected Product:       OpenSSH (http://www.openssh.com)
Affected Version:       Portable versions <= 6.9p1
Vulnerability:          Vulnerabilities in PAM Privilege Separation Code
________________________________________________________________________________

I.   Impact

Two vulnerabilities were identified in the PAM privilege separation code. One
of them (III) allows remote attackers who previously achieved remote code
execution within the unprivileged pre-auth sandbox process to perform a
successful authentication as an arbitrary user (e.g. root) and thus impersonate
other users. The only additional prerequisite is any valid (possibly
low-privileged) user account which can be used to login into the system via SSH.

________________________________________________________________________________

II.  Background

OpenSSH implements privilege separation which was introduced with version 5.9.
Privilege separation is a generic approach which splits the code into two
processes: An unprivileged child process and a privileged monitor process. The
unprivileged child does most of the work and in particular processes all the
network data. The monitor process communicates with the unprivileged child
process and performs all the operations which require higher privileges. The
idea of this design is to prevent programming errors in the unprivileged parts
from compromising the whole application and thus prevent a full system
compromise. A good technical overview can be found in the paper
"Preventing Privilege Escalation" by Niels Provos et al.
(http://www.peter.honeyman.org/u/provos/papers/privsep.pdf).

The unprivileged child process and privileged monitor process communicate via
a socketpair. Several different monitor request and answer types are defined
which can be used to exchange messages between the two processes. The complete
list can be found in the mon_dispatch_proto{15,20} and
mon_dispatch_postauth{15,20} structures defined in monitor.c.

Monitor requests have certain flags assigned which can restrict when and how
requests are accepted by the monitor. E.g. the flag MON_ONCE determines that
a request can only be sent once and is disabled after it was received for the
first time in the monitor. The MON_AUTH flag determines that a request is
related to the authentication process. The complete list of flags can be found
in the monitor.c file as well.

Not all defined requests are permitted in every state of the SSH protocol. In
order to control which requests are permitted, the functions monitor_permit()
and monitor_permit_authentications() are used. The function monitor_permit()
can be used to enable or disable a certain message while the function
monitor_permit_authentications() enables or disables all authentication
related messages which have the MON_AUTH flag set. When a request is received
by the monitor which is currently not allowed the monitor process terminates
by calling the fatal() function.

________________________________________________________________________________

III. PAM Authentication Bypass in Privilege Separation

When PAM support is enabled in the portable version of OpenSSH, a few additonal
monitor requests are enabled which can be found in the monitor.c file:

#ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif

Before any PAM-related monitor requests are sent, the unprivileged child process
sends the MONITOR_REQ_PWNAM request to verify that the username received from
the network represents a valid user. The monitor responds with the corresponding
passwd struct entry if the user exists and additionally caches the username
and passwd struct entry in the current monitor authentication context
(struct Authctxt *authctxt).

PAM authentication then starts with the unprivileged child process sending the
MONITOR_REQ_PAM_START request which tells the monitor to open a new
authentication transaction for the current user by calling the PAM API function
pam_start().

The next PAM-related monitor request sent by the child process is
MONITOR_REQ_PAM_INIT_CTX which initializes [2] the current PAM authentication
context in the monitor.

int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{

	debug3("%s", __func__);
	authctxt->user = buffer_get_string(m, NULL);			[1]
	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);		[2]
	sshpam_authok = NULL;
	buffer_clear(m);
[...]

Interestingly the child process sends the current username as part of this
request once again to the monitor and the monitor overwrites the previously
stored username in the monitor authentication context with the received
username [1].

During a normal PAM authentication the same username is sent, so this doesn't
represent a problem. However an attacker who already compromised the
unprivileged pre-auth child process could send a different username in this
case. This could lead to a situation where the username stored in the monitor
authentication context would not match the stored passwd struct entry.

The remaining PAM authentication only relies on the stored username. The user
which is actually logged in after a successful authentication is on the contrary
only identified by the stored passwd struct entry.

This allows an attacker who compromised the unprivileged child process to first
send any desired username (e.g. root) with the MONITOR_REQ_PWNAM request which
would store the corresponding passwd struct entry in the authentication context.
Subsequently he would send a different username for whom he's in posession of
the password and perform a valid PAM authentication with that user. Once the
authentication was successful, the attacker is not logged in with the user he
used for the authentication, but with the username he specified in the initial
MONITOR_REQ_PWNAM request.

________________________________________________________________________________

IV.  Use-After-Free in PAM Privilege Separation

The monitor requests for PAM authentication which can be send by the
unprivileged child process represent additional attack surface. But not only
implementation flaws in the handlers have to be considered. Also the order in
which requests are send could result in unexpected program states and thus lead
to interesting vulnerabilities.

One such vulnerability can be found in the handler for the
MONITOR_REQ_PAM_FREE_CTX request:

int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{

	debug3("%s", __func__);
	(sshpam_device.free_ctx)(sshpam_ctxt);				[3]
	buffer_clear(m);
	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	return (sshpam_authok == sshpam_ctxt);
}

At [3] the free_ctx function pointer of the KbdintDevice structure is called
which is set to sshpam_free_ctx(). That function can be found in auth-pam.c:

static void
sshpam_free_ctx(void *ctxtp)
{
	struct pam_ctxt *ctxt = ctxtp;

	debug3("PAM: %s entering", __func__);
	sshpam_thread_cleanup();
	free(ctxt);							[4]
	/*
	 * We don't call sshpam_cleanup() here because we may need the PAM
	 * handle at a later stage, e.g. when setting up a session.  It's
	 * still on the cleanup list, so pam_end() *will* be called before
	 * the server process terminates.
	 */
}

As can be seen this frees the current PAM context memory pointed to by the
passed sshpam_ctxt pointer [4]. The flag MON_ONCE is set for the
MONITOR_REQ_PAM_FREE_CTX monitor request which prevents a malicious child
process from calling it multiple times which would otherwise lead to an obvious
double free vulnerability.

However it is still possible for a compromised child process to first send the
MONITOR_REQ_PAM_FREE_CTX request which will free the PAM context and then use
any of the other PAM monitor requests which leads to a use-after-free condition.

The freed structure is defined in auth-pam.c as follows:

struct pam_ctxt {
	sp_pthread_t	 pam_thread;
	int		 pam_psock;
	int		 pam_csock;
	int		 pam_done;
};

As can be seen the structure does not contain any pointers or length fields
which would be ideal candidates for the exploitation of this use-after-free bug.
However it stores two other interesting values, which are the pam_psock and
pam_csock file descriptors. These file descriptors identify the receiving and
sending socket to the PAM authentication system respectively.

In order to exploit the use-after-free condition, you could try to replace the
freed memory in the monitor process with a fake structure which would have
pam_psocks and pam_csock being set to the file descriptors used for the
communication with the unprivileged child process.

This way the monitor would send all PAM authentication requests directly to the
unprivileged child process which could then impersonate the PAM subsystem and
e.g. allow authentication for any user without a password.

The problem which most probably prevents the described way of exploitation is
that only monitor requests which have the MON_AUTHDECIDE flag set are allowed
to make an authentication decision:

			if (!(ent->flags & MON_AUTHDECIDE))
				fatal("%s: unexpected authentication from %d",
				    __func__, ent->type);

For PAM only the MONITOR_REQ_PAM_FREE_CTX request has this flag set.
Additionally the request has the MON_ONCE flag set which means we can send it to
the monitor only a single time. Since we initially need to send this request to
trigger the freeing of the PAM context, followed by other monitor requests for
the actual authentication, we are running into the described MON_AUTHDECIDE
check which prevents a successful authentication.

We didn't find a way to successfully exploit this use-after-free condition for
anything interesting. But a creative mind might eventually find a useful
scenario.

________________________________________________________________________________

V.   Mitigation

Both vulnerabilities were fixed in OpenSSH 7.0 which should be installed to
resolve the issues.

________________________________________________________________________________

VI.  Disclosure Timeline

- 2015-08-10 Vulnerabilities reported to openssh@xxxxxxxxxxx
- 2015-08-11 OpenSSH 7.0 is released which fixes the issues

________________________________________________________________________________

Credit:
Bugs found by Moritz Jodeit of Blue Frost Security GmbH.
________________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all other
reproduction or publication, in printing or otherwise, contact
research@xxxxxxxxxxxxxxxxxxxx for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In no
event shall Blue Frost Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.

Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.