OpenSSH bug in decoding EXT_INFO extension values

"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Tue, 13 June 2017 04:33 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20311270A7 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Jun 2017 21:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.805
X-Spam-Level:
X-Spam-Status: No, score=0.805 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, STOX_REPLY_TYPE_WITHOUT_QUOTES=1.757, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WtcSip5l3Dx for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 12 Jun 2017 21:33:21 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F259C1200F1 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Jun 2017 21:33:17 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 4225084DE3; Tue, 13 Jun 2017 04:33:15 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id E6FDC84D7F; Tue, 13 Jun 2017 04:33:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B870984D7F for <ietf-ssh@netbsd.org>; Tue, 13 Jun 2017 03:54:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id r2QMavsp8AFc for <ietf-ssh@netbsd.org>; Tue, 13 Jun 2017 03:54:09 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 40A2B84CDD for <ietf-ssh@netbsd.org>; Tue, 13 Jun 2017 03:54:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding; bh=82b06YWIixWLA45b0FMs8hhWlV1mPFEXdjVWrmBn3C4=; b=tbrZC2x+dc6JGxBCE64WcnONNEosYwBQMVZe7353Y/ebJlAFurKEXhEWKwA1+LfrzjOHdrgSpUBy2 W6tr0mo65jccvjFjCR2jeEitGhyVh55Zow6IwGlZe3OBHa6XlSO5P+fnq18boCTwtfXQkQmbyPodHx lBqYMXNkZwz/XUfs+Juq0FEH66plkbOcEKnXBILD94CByA02bsH4XWpThcHHmcDDs8Da++YYYY5t25 2Qlu73K2TsBohavJQ8iydG4Ub7moB9qb3DxyhcxIXvqeoEOEM/Qzv1gKOIBHf3rPqYaPFNSyCzw+dO ow/oUYzpObS5PS5ymNELP/x1nds7T0g==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 13 Jun 2017 04:53:41 +0100
Message-ID: <FC64DEB4AC654FDFA7150BA5D0351CF8@Khan>
From: "denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com>
To: <ietf-ssh@netbsd.org>
Cc: "Markus Friedl" <mfriedl@gmail.com>, <djm@mindrot.org>
Subject: OpenSSH bug in decoding EXT_INFO extension values
Date: Mon, 12 Jun 2017 21:53:07 -0600
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20ietf-ssh&body=unsubscribe%20ietf-ssh>

Bad news, everyone.

Again - there’s a bug in OpenSSH that’s now widely deployed, and will 
require workarounds to coexist with.

OpenSSH implements EXT_INFO. Excellent. Very nice. I'm grateful. Thank you.

But it does so incorrectly.

Suppose that a server sends the "delay-compression" extension to an OpenSSH 
client.

The client disconnects, without attempting to authenticate, as soon as it 
sees the extension's encoding.

It disconnects due to this choice of function in kex_input_ext_info:


if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) {
    free(name);
    return r;
}


This is an incorrect function to use for the extension value, because it 
contains the following logic:


/* Allow a \0 only at the end of the string */
if (len > 0 &&
    (z = memchr(p , '\0', len)) != NULL && z < p + len - 1) {
    SSHBUF_DBG(("SSH_ERR_INVALID_FORMAT"));
    return SSH_ERR_INVALID_FORMAT;
}


THIS IS NOT CORRECT LOGIC TO USE WHEN PROCESSING AN UNKNOWN EXTENSION VALUE, 
OF UNKNOWN FORMAT, WHERE THERE'S NO GUARANTEE IT WON'T CONTAIN ZEROS!

The value for the “delay-compression” extension, in particular, contains 
zeros.

The whole extension is defined as follows:


string         "delay-compression"
string:
  name-list    compression_algorithms_client_to_server
  name-list    compression_algorithms_server_to_client


Obviously, the lengths of both name-lists will have zeros, which will appear 
right at the start of the value.

So we implement an extension mechanism - and once again, it cannot be used 
with OpenSSH, because it deploys a fundamentally botched implementation.

Remember - the reason this "delay-compression" extension exists IN THE FIRST 
PLACE is that OpenSSH botched its delayed compression; designing it with a 
built-in, unescapable race condition.

God dammit, guys. God dammit.

What should I do with this?

Not send "delay-compression" to OpenSSH versions up to 7.5?

Or not send it to ANY OpenSSH version?

denis