From the reading, the "hack" is pretty embarrassing. The server->client message that announces you're authenticated is instead sent client->server and the server just sets its mode to that. Abracadabra, you're logged in!
The fix implements a basic state machine to ensure protocol state transitions are sane. Prior to this, attacker-supplied data was used in calculating the offset inside an array of callbacks. So you could just tell the server to call into the “auth success” handler.
>> developers should be liable for the damage caused by their negligent code
To be fair, at this point I would rather see developers not writing code; rather than writing buggy one.
I had a friend on FB who's just completed a security course and wrote a password generator in Go. The random was seeded from a current date in nanoseconds. The issue is that while no one will probably ever reverse his passwords, but the guy open-sourced his script. How many people will be influenced by that piece of code?
Lawyers have that: if you can't be liable - you're not a lawyer. GTFO.
libssh is used because openssh isn't suited to be used as a library. So it's one of the most popular ways to automate the most popular remote shell protocol.
It's not really niche - I'd say it's an average popularity library and likely used by a bunch of internal projects.
While the brain cells of the C programmers are busy handling errors, managing memory, and avoiding buffer overflow, they forget about sound software engineering rules and proper design. While the code of libssh looks cleaner than eg. FreeBSD, there are still quite a number of functions that are bigger than a screen height.
I don't see how different language would protect you from this kind of vulnerability. Array of callbacks looks identical everywhere. Rust or Java would protect from out-of-bounds memory access (and that is a very good thing in that case), but this particular bug would be present.
You're assuming there would even be an array of callbacks if the code had been written in a different language, rather than the other language offering some nicer abstraction that eliminated the array. Having not seen the code, I can't be sure of this, but I know that, for instance, I rarely need to write array index arithmetic in the languages I usually work with (Python, JavaScript) whereas on the occasions I've dabbled with C such arithmetic came up constantly. If I introduced a nasty bug in some C code due to an array arithmetic error, arguing "Python wouldn't be any better because it doesn't do anything to make manually writing array index manipulations easier" would be missing the point.
A perfect example of why "use safe languages! C is the root of all RCE!" makes me immediately weary of a developer. Had the original poster been the author of such a library, he wouldn't have been motivated to spent much or any time investigating his implementation because he used a safe language.
Same issue and might even explain it better: They took the client-side implementation and effective state machine, flipped it around, and called it good.
And that's why you should use a thoroughly tested implementation instead of implementing a bug-ridden ad-hoc square wheel.
"Whoopsies, I forgot to ban some state transitions" won't happen if all you're writing is a state machine spec, and not a state machine spec and its ad-hoc implementation.
Don't roll your own crypto? Extend it to "don't roll your own low-level constructs".
> they forget about sound software engineering rules and proper design. While the code of libssh looks cleaner than eg. FreeBSD, there are still quite a number of functions that are bigger than a screen height.
You seem to be a very smart guy; will making my font smaller so my functions are shorter improve my code?
What makes this a bit more understandable is: almost nothing uses libssh server functionality. So most development was only focused on client functionality.
(The only notable exception, github.com backends, were not using the auth logic code in question, so again just not used and not given attention...)
Having implemented security protocols and used state machines to track state, this is a surprisingly easy (if embarrassing) mistake to make. It’s very easy to spend a lot of energy validating the documented state transitions and essentially forget to ban all other transitions.
For me this is much less “OMG how could they be so careless” and much more “There but for the grace of a diligent set of testers go I”
I guess you could say that about absolutely any bug though? This isn’t particularly underhanded, and it’s more of a broad design flaw than a subtle change. If you wanted a “backdoor” you could absolutely do 10x better than this.
How could you do 10x better? Because it's a broad design flaw there is no suspicious LOC or suspiciously overcomplicated code needed to hide the backdoor. You have to understand the whole context to notice the bug.
But it’s still there in plain sight. I’d hazard a guess that this may be the first time a solid code reviewer looked at the code, and spotted it straight away*
If you wanted 10x better, you could throw in some code that exhibits undefined (but known on major compilers) behavior, or super subtle C issues. Even a simple if statement in C forces all kinds of wonderful promotions and type conversions which can truncate, wrap, and drastically change values in ways that even most C developers aren’t aware.
I encourage folks to go check out the “underhanded C contest” before suggesting that this bug is a backdoor.
*The person who found this, Peter, is indeed insanely good.
Make sure the PRNG does not source enough entropy thus dramatically weakening all session keys to a crackable level.
Or do like WEP and recycle your one time pads. Lots of subtle design flaws one can introduce that generally get spotted in blackbox testing, and not in code.
Sure, you can wonder, but when I break it down, it’s either highly unlikely or highly clumsy.
If I were to put a backdoor into this code, I’d want the following properties:
- tricky to spot in code review
- virtually undiscoverable via current best-of-breed fuzzing
- tricky to spot in network captures or any type of IDS
This bug passes #2 (unless you’ve got a state-aware network fuzzer and panic() in the right places), but fails on the other two.
But who knows, maybe this was a low-investment effort and it paid off for some time, with a trivial-to-exploit (IE no mem corruption) bug they knew would eventually be retired?
This is all of the packages that depend on libssh in Debian Testing, doesn't seem to be very problematic, I've only heard of one thing on this list, and that doesn't use the server code anyways.
Those are almost certainly all using the client functionality. I'm not sure what uses libssh as an ssh server. (Edit: it may be that there is no open source code in existence anywhere which uses libssh in this way, except maybe some sample code. See https://twitter.com/cryptomilk/status/1052286350379114496 )
For some reason that site doesn't seem to list all possibly reverse dependencies of libssh.
According to the brew uses command the possible dependents are ffmpeg, ffmpeg@2.8, hydra, sshtrix, tmate, wireshark, and yafc. I say possible because some of those can optionally depend upon libssh, but the user has to opt-in to building with libssh support.
Most embedded devices which have ssh server functionality use Dropbear. You'll have to look really hard to find anything which uses this "libssh" server functionality (which, again, is _not openssh_).
Is this a code error or a protocol error? If a protocol relies on a message from the client side to allow access, it's a protocol error!
It's unlikely that ssh - a protocol that powers large swaths of software, has such an error, but always good to hear from the experts that this is indeed a coding error.
It's an incorrect implementation of the protocol, yes. That message should only be sent from the server to the client, and the server should not take any action (besides dropping the connection) when it's received.
