SSH is a widely used client-server application for authentication and encryption of network communications. In 1998 Ariel Futoransky and Emiliano Kargieman discovered a design flaw in the SSH1 protocol (protocol 1.5) that could lead an attacker to inject malicious packets into an SSH encrypted stream that would allow execution of arbitrary commands on either client or server.
The problem was not fixable without breaking the protocol 1.5 semantics and thus a patch was devised that would detect an attack that exploited the vulnerability found. The attack detection is done in the file deattack.c from the SSH1 source distribution.
A vulnerability was found in the attack detection code that could lead to the execution of arbitrary code in SSH servers and clients that incorporated the patch.
The information has been provided by Michal Zalewski of the Bindview RAZOR Team.
This problem affects both SSH servers and clients.
All versions of SSH supporting the protocol 1 (1.5) that use the CRC compensation attack detector are vulnerable. See below for vendor specific information.
OpenSSH versions prior to 2.3.0 are vulnerable.
OpenSSH versions 2.3.0 and above are not vulnerable, source changes in deattack.c that fix this problem were incorporated into the source tree on October 31st, 2000.
ssh-1.2.24 up to , and including, ssh-1.2.31 are vulnerable.
Versions prior to 1.2.24 did not include the CRC compensation attack detector. The official response from SSH.com follows:
- SSH-2.x is not vulnerable
- SSH1 is deprecated, and not supported, upgrade to SSH2
- Nonetheless the proposed patch has been applied to the ssh-1.2.x source tree, future releases of ssh-1.2.x will have the bug closed.
Versions prior to F-Secure SSH-1.3.11-2 are vulnerable.
This vulnerability was fixed in F-Secure SSH1 1.3.11-2 released 9th Feb 2001.
The default configuration of the AppGate server is not vulnerable since it has SSH-1 support disabled. However, customers who need ssh1-support can contact email@example.com to get patches.
The MindTerm client does not have this vulnerability.
All versions that incorporated the attack detector are not vulnerable.
Not vulnerable. LSH does not support SSH protocol 1.
--------------------- end deattack patch -------------------
Most SSH distributions incorporated the file deattack.c released by CORE SDI in 1998. The file implements an algorithm to detect attempts to exploit the CRC-32 compensation attack by passing the ssh packets received from the network to the detect_attack() function in deattack.c
Detects a crc32 compensation attack on a packet
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
static word16 *h = (word16 *) NULL;
(*) static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
Buf is the ssh packet received, len is the length of that packet The received packet is comprised of several blocks of ciphertext of size SSH_BLOCKSIZE and each of them is checked against the others to verify that different packets don't have the same CRC value, such behavior is symptom of an attack. The detection is done using a hash table that is dynamically allocated based on the size of the received packet.
for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2);
if (h == NULL)
debug("Installing crc compensation attack detector.");
n = l;
h = (word16 *) xmalloc(n * sizeof(word16));
Due to the improper declaration of 'n' above (it should be a word32) by sending crafted large ssh packets (length > 2^16) it is possible to make the vulnerable code perform a call to xmalloc() with an argument of 0, which will return a pointer into the program's address space.
It is worth mentioning that existing standards promote two possible behaviors for malloc() when it is called with an argument of 0:
- Failure, returning NULL
- Success, returning a valid address pointing at a zero-sized object.
Most modern systems implement the later behavior and are thus vulnerable. Systems that have the older behavior will abort the connection due to checks within xmalloc()
It is then possible to abuse the following code to in order write to arbitrary memory locations in the program (ssh server or client) address space, thus allowing an attacker to execute arbitrary code on the vulnerable machine, see lines marked with (*):
for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++)
(*) for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
i = (i + 1) & (n - 1))
if (h[i] == HASH_IV)
if (!CMP(c, IV))
if (check_crc(c, buf, len, IV))
} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE))
if (check_crc(c, buf, len, IV))
(*) h[i] = j;
A would-be attacker does not need to authenticate to the SSH server first or to have the packets encrypted in a meaningful way to perform the attack. Even if that was the case, the session key used for encrypting is chosen by the ssh client and it is therefore trivial to implement an exploit (in the sense of the cryptography knowledge required to do it). However, a small degree of knowledge in exploit code development would be needed to implement a working exploit.
To reproduce this condition, run your sshd server on localhost under gdb with '-d' switch (to avoid forking). Then try (using OpenSSH client - ssh.com client software crops the login name):