Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze libssh2 plastic surgery overflow vulnerabilities CVE-2019-17498. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Severity and mitigation plan

This vulnerability is not an Openssh vulnerability, so it does not affect ssh. Libssh3 is a client-side C code library that helps applications establish connections with SSH servers. And this vulnerability is not a libssh vulnerability, because libssh is not a C code base, but its function is similar to libssh3.

This vulnerability exists in libssh3 v1.9.0 and earlier, and it has been successfully fixed in the master branch of libssh3, but the official version of the vulnerability fix has not been released.

The vulnerability involves out-of-bounds reading and could lead to a risk of denial of service or remote disclosure of information on the target service. It is possible to trigger this vulnerability when libssh3 is used to establish a connection with a malicious SSH server. An overflow occurs when the SSH server sends a disconnect message. This means that the vulnerability can be triggered at the beginning of the connection process and before authentication is completed.

Trigger vulnerability

The original location of the vulnerability is at packet.c:480:

If (message_len

< datalen-13) { datalen的值是一个不受信的值，它由远程SSH服务器控制。如果datalen==11，那么减法运算将会发生溢出，针对message_len的越界检测将会失效。Message_len是一个无符号的32位整型，它的值同样由远程SSH服务器控制，所以这将导致第485行代码发生越界读取： language_len =_libssh3_ntohu32(data + 9 + message_len); 越界读取通常来说会导致分段错误，但是本文所描述的问题将有可能导致代码调用第499行的LIBSSH2_DISCONNECT： if(session->

Ssh_msg_disconnect) {LIBSSH2_DISCONNECT (session, reason, message, message_len, language, language_len);}

It depends on how the libssh3 library is used, because session- > ssh_msg_disconnect is a callback function, which defaults to NULL, but users can also set it themselves by calling libssh3_session_callback_set.

Here I specifically wrote a vulnerability to exploit PoC: [click I get]. It impersonates a malicious SSH server that can return a disconnect message containing datalen==11 and message_len==0x41414141, which will cause libssh3 to have a fragmentation error and crash.

Analysis of Liibssh3 integer overflow variants

When I report a security vulnerability to a vendor, I usually include two things in the report:

1. Vulnerability exploitation code PoC

2. QL query to identify all code locations that I think need to be fixed

To include QL query in PoC, I think it has the following benefits:

1. If the code contains multiple similar vulnerabilities, then we can write a query request to enumerate them.

2. QL query can help me quickly determine whether the vulnerability has been successfully fixed.

3. The QL query can present the results to me in the form of a separate URL, which is convenient for our follow-up analysis.

Creating a PoC usually involves a lot of work, and if a target has multiple very similar vulnerabilities, I usually write a PoC for one of them, because a PoC is enough to prove the impact of the vulnerability. The purpose of this query is not to find all the shaping overflow vulnerabilities in libssh3, its main purpose is to find the vulnerabilities triggered by the PoC and other similar variants.

The Semmle QL query code is as follows: / * * @ kind path-problem * / import cppimport semmle.code.cpp.rangeanalysis.SimpleRangeAnalysisimport semmle.code.cpp.dataflow.TaintTrackingimport DataFlow::PathGraphclass Config extends DataFlow::Configuration {Config () {this = "_ libssh3_ntohl bounds check overflow"} override predicate isSource (DataFlow::Node source) {source.asExpr (). (FunctionCall). GetTarget (). GetName (). Matches ("_ libssh3_ntoh%")} override predicate IsSink (DataFlow::Node sink) {convertedExprMightOverflowNegatively (sink.asExpr ()) and exists (RelationalOperation cmp | cmp.getAnOperand () = sink.asExpr ())} override predicate isAdditionalFlowStep (DataFlow::Node source DataFlow::Node target) {exists (Field f | source.asExpr () = f.getAnAssignedValue () and target.asExpr () = f.getAnAccess () or target.asExpr (). (AddExpr). GetAnOperand () = source.asExpr () or target.asExpr (). (SubExpr). GetAnOperand () = source.asExpr ()} from Config cfg, DataFlow::PathNode source DataFlow::PathNode sinkwhere cfg.hasFlowPath (source, sink) select sink, source, sink, "possible integer overflow of tainted expression in bounds check"

Where isSource indicates that the calls to _ libssh3_ntohu32 and _ libssh3_ntohu64 are found, which are mainly used for network-to-host byte order escape. These functions can generally be used to find "attacker-controlled data". But the purpose of the isSink I use here is to find contrast dizziness, which contains subexpressions that may overflow. For example, message_len < datalen-13 is a comparative expression, while datalen-13 may overflow. My query also overrides the isAdditionalFlowStep option and customizes the data flow boundary set.

The above is the editor for you to share how to carry out libssh2 shaping overflow vulnerability CVE-2019-17498 analysis, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.