source: trunk/third/ssh/README.DEATTACK @ 11647

Revision 11647, 4.4 KB checked in by ghudson, 26 years ago (diff)
Add code from a CORE SDI advisory to prevent connection hijacking.
Line 
1============================================================================
2
3                              CORE SDI S.A.
4                         Buenos Aires, Argentina
5                          <http://www.core-sdi.com>
6 
7 
8                     SSH insertion attack detection
9============================================================================
10
11
12Crc32 Compensation attack detector
13~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14This document describes the scope and characteristics of SSH crc32
15compensation attack detector engine. It will inspect an encrypted SSH protocol
161.5 stream for suspicious patterns. If either the server or client is under
17attack, the detector closes the conection and logs the attack.
18 
19
20Attack characteristics
21~~~~~~~~~~~~~~~~~~~~~~
22An attacker, with sniffing and spoofing capabilities on the SSH network stream, may perform an active network attack by constructing a packet using a
23known cipher/plaintext pair and computing addditional data to fill the packet
24in a way that will produce a valid CRC-32 field and pass as a valid packet when
25decryped and integrity checked on the server side.
26 If the attack succeeds, arbitrary commands will get executed on the server.
27
28  This attack doesnt affect the confidential security characteristics of the
29products using this protocols. However, integrity and authentication
30of packets can no longer be trusted.
31
32Solution
33~~~~~~~~
34  This is not an implementation bug, but a protocol design vulnerability. The
35protocol must be updated to use cryptographic strong message authentication
36codes. SSH Protocol version 2 as published in [1] includes the use of a real
37strong MAC.
38  However, this will require to update all clients and servers simultaneusly
39while disabling compatibility with protocol version 1.5. On many installations
40this is not practical.
41
42  A mid-term solution exists, that will help protecting the server from the
43auth/integrity vulnerabilities.  On most scenarios it will be enough to upgrade
44only the servers.
45
46  This approach is based on the fact that an attacker will need to exploit some
47of the linear characteristics of the integrity function in order to implement
48the attack. In that context, the constructed packets will follow certain
49patterns that could be detected on the encrypted stream.
50
51  This is not a general solution, but a countermeasure against a model of all
52of the possible attacks that exploits this vulnerabilities.
53
54  The provided patch looks for patterns of repeated ciphered blocks in
55each SSH packet received, the performance loss in speed is less 2% in an
56uncompressed stream compared to an unpatched server. Memory usage increases
57in about 8k per conection.
58  The chances of reporting a false attack in a 32GB file transfer is around
591 in 2**51.
60
61Contact information
62~~~~~~~~~~~~~~~~~~~
63
64   These vulnerabilities were discovered by Ariel Futoransky
65   and Emiliano Kargieman.
66 
67   Comments and questions regarding this vulnerability and the fix
68   should be sent to:
69 
70       Ariel Futoransky <futo@core-sdi.com>
71       Emiliano Kargieman <ek@core-sdi.com>
72 
73  For more information about CORE SDI S.A.  contact <core@core-sdi.com>
74  or visit <http://www.core-sdi.com>
75
76  For more information about this problem and related ones visit:
77
78   <http://www.core-sdi.com/ssh>
79                       
80  You can contact CORE SDI S.A. at <corelabs@core-sdi.com> using the
81  the following PGP key:
82
83-----BEGIN PGP PUBLIC KEY BLOCK-----
84Version: 2.6.3ia
85Comment: Requires PGP version 2.6 or later.
86 
87mQCNAzVgfMgAAAEEAJSfJNdvCwIAc4AK0ckeimubLIwzsRVDRhjPQIOYt/7kxxio
88DZybr53fwMEjyT8cHXRL08i0R9rcuFeCNAez6XcalbhqUKXDcLL/cZK80CCDSCs5
89tRCZGGOEBnXQIoyvbvi4gNYhBS5wUvmh3b/mvRFTvhmRrUy9m/nO/LnPTgz1AAUR
90tCBDT1JFTEFCUyA8Y29yZWxhYnNAY29yZS1zZGkuY29tPokAlQMFEDVgfMn5zvy5
91z04M9QEBC6ED/0Szt3f54JTvkZG3ezQ8G60HvAw4/A5Ti6i3oze6jsXxzGp6pA1x
92i0jaZpKaUSpo0MLc7BcijMKneuUHnN3XtN5YxtFt0aEoot1MIvv4BsdeUb3x257G
933+vr8SxGk44Vm4tfuN8F/2dNo/00yYP9rd3zQ8Tl+gmr5VxnLViZIDuh
94=ulRg
95-----END PGP PUBLIC KEY BLOCK-----
96
97Copyright
98~~~~~~~~~
99
100This file, deattack.c and deattack.h  are copyright (c) 1998
101CORE SDI S.A., Buenos Aires, Argentina. All rights reserved.
102and should be redistributed or modified for non-commercial purposes only
103provided that this copyright notice is retained.
104
105THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES
106ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
107INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING
108FROM THE USE OR MISUSE OF THIS SOFTWARE.
109
Note: See TracBrowser for help on using the repository browser.