Saturday, May 9, 2020

Analysis of CVE-2020-1730 : DoS in libssh

CVE-2020-1730: libssh - denial of service when handling AES-CTR (or DES) ciphers

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. Recently a security advisory was released for "Denial of service vulnerability" in libssh.


Important information from advisory -  
  1. Possible DoS in client and server when handling AES-CTR keys with OpenSSL
  2. Connection hasn't been fully initialized
  3. Issue arises in cleanup of ciphers when closing the connection
The typical libssh session looks like following diagram. This diagram is created for high level overview of process, so it may not be exactly precise. 

Let's go through each point mentioned in advisory - 

1. Affected when handling AES-CTR keys with OpenSSL
The AES-CTR cipher related information is defined in libcrypto.c. The exploitation is possible when OPENSSL AES support is enabled and OpenSSL EVP interface is not supported. 

For this analysis I used aes128-ctr mode and a connection from client-to-server. 

libcrypto.c
    704 #else /* HAVE_OPENSSL_EVP_AES_CTR */
    705   {
    706     .name = "aes128-ctr",
    707     .blocksize = 16,
    708     .ciphertype = SSH_AES128_CTR,
    709     .keysize = 128,
    710     .set_encrypt_key = aes_ctr_set_key,
    711     .set_decrypt_key = aes_ctr_set_key,
    712     .encrypt = aes_ctr_encrypt,
    713     .decrypt = aes_ctr_encrypt,
    714     .cleanup = aes_ctr_cleanup
    715   },

2. Connection hasn't been fully initialized
To trigger this issue, another condition is that connection should not be fully initialized. The typical SSH connection session looks like -


To trigger this condition, connection needs to be disconnected in between session key exchange so that it's not fully initialized. The session key exchange is handled by ssh_handle_key_exchange().This function internally calls multiple interesting functions.
ssh_handle_key_exchange -> ssh_handle_packets_termination -> ssh_handle_packets -> ssh_timeout_elapsed
server.c
    630 int ssh_handle_key_exchange(ssh_session session) {
    631     int rc;
    632     if (session->session_state != SSH_SESSION_STATE_NONE)
    633       goto pending;
    634     rc = ssh_send_banner(session, 1);
    635     if (rc < 0) {
    636         return SSH_ERROR;
    637     }
    638 
    639     session->alive = 1;
    640 
    641     session->ssh_connection_callback = ssh_server_connection_callback;
    642     session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED;
    643     ssh_socket_set_callbacks(session->socket,&session->socket_callbacks);
    644     session->socket_callbacks.data=callback_receive_banner;
    645     session->socket_callbacks.exception=ssh_socket_exception_callback;
    646     session->socket_callbacks.userdata=session;
    647 
    648     rc = server_set_kex(session);
    649     if (rc < 0) {
    650         return SSH_ERROR;
    651     }
    652     pending:
    653     rc = ssh_handle_packets_termination(session, SSH_TIMEOUT_USER,
    654         ssh_server_kex_termination,session);
    655     SSH_LOG(SSH_LOG_PACKET, "ssh_handle_key_exchange: current state : %d",
    656         session->session_state);
    657     if (rc != SSH_OK)
    658       return rc;
    659     if (session->session_state == SSH_SESSION_STATE_ERROR ||
    660         session->session_state == SSH_SESSION_STATE_DISCONNECTED) {
    661       return SSH_ERROR;
    662     }
    663 
    664   return SSH_OK;
    665 }
The ssh_handle_packets_termination() keeps polling the current session for an event and call the appropriate callbacks.

session.c
    635 /**
    636  * @internal
    637  *
    638  * @brief Poll the current session for an event and call the appropriate
    639  * callbacks.
    640  *
    641  * This will block until termination function returns true, or timeout expired.
    642  *
    643  * @param[in] session   The session handle to use.
    644  *
    645  * @param[in] timeout   Set an upper limit on the time for which this function
    646  *                      will block, in milliseconds. Specifying SSH_TIMEOUT_INFINITE
    647  *                      (-1) means an infinite timeout.
    648  *                      Specifying SSH_TIMEOUT_USER means to use the timeout
    649  *                      specified in options. 0 means poll will return immediately.
    650  *                      SSH_TIMEOUT_DEFAULT uses blocking parameters of the session.
    651  *                      This parameter is passed to the poll() function.
    652  *
    653  * @param[in] fct       Termination function to be used to determine if it is
    654  *                      possible to stop polling.
    655  * @param[in] user      User parameter to be passed to fct termination function.
    656  * @return              SSH_OK on success, SSH_ERROR otherwise.
    657  */
    658 int ssh_handle_packets_termination(ssh_session session,
    659                                    int timeout,
    660                                    ssh_termination_function fct,
    661                                    void *user)
    662 {

3. Cleanup cipher information
During session, if connection ended abruptly, the termination function fct(user) = -2 is returned and polling is stopped.

session.c
    ......

    688     while(!fct(user)) {
    689         ret = ssh_handle_packets(session, tm);
    690         if (ret == SSH_ERROR) {
    691             break;
    692         }
    693         if (ssh_timeout_elapsed(&ts,timeout)) {
    694             ret = fct(user) ? SSH_OK : SSH_AGAIN;      <-- SSH_AGAIN = -2
    695             break;
    696         }
    697 
    698         tm = ssh_timeout_update(&ts, timeout);
    699     }
    700 
    701     return ret;
    702 }

Then function ssh_handle_key_exchange() returns without a success. 
     ssh_handle_key_exchange(session) != SSH_OK
When connection is closed abruptly and key exchange is failed, application kills the session by calling ssh_disconnect(session).

client.c
    652 /**
    653  * @brief Disconnect from a session (client or server).
    654  * The session can then be reused to open a new session.
    655  *
    656  * @param[in]  session  The SSH session to use.
    657  */
    658 void ssh_disconnect(ssh_session session) {
    659   struct ssh_iterator *it;
    660   int rc;

    .........   

    699   if (session->next_crypto) {
    700     crypto_free(session->next_crypto);
    701     session->next_crypto = crypto_new();
    702     if (session->next_crypto == NULL) {
    703       ssh_set_error_oom(session);
    704     }
    705   }
As the name suggests, function cyrpto_free() starts cleaning of cryptographic parameters used in session.

wrapper.c
    146 void crypto_free(struct ssh_crypto_struct *crypto)
    147 {
    148     size_t i;
    149 
    150     if (crypto == NULL) {               <-- # we need to initiate KX to satisfy this
    151         return;
    152     }
    153 
    154     ssh_key_free(crypto->server_pubkey);
    155 
    156     cipher_free(crypto->in_cipher);      <-- #cryptographic information from other party
    157     cipher_free(crypto->out_cipher);
    
crypto->in_cipher contains ciphers information received from another party during key exchange. When the connection is closed without successful key exchange, in crypto->in_cipher some cryptographic material remains uninitialized. 

wrapper.c
    130 static void cipher_free(struct ssh_cipher_struct *cipher) {
    131   ssh_cipher_clear(cipher);
    132   SAFE_FREE(cipher);
    133 }
The cleanup function is called on this uninitialized cipher information.
    (gdb) print session->next_crypto
    $8 = (struct ssh_crypto_struct *) 0x40a120
    
    150     if (crypto == NULL) {
    (gdb) print crypto
    $9 = (struct ssh_crypto_struct *) 0x40a120
    
    156     cipher_free(crypto->in_cipher);
    (gdb) print crypto->in_cipher
    $10 = (struct ssh_cipher_struct *) 0x411870
    
    131   ssh_cipher_clear(cipher);
    (gdb) print cipher
    $13 = (struct ssh_cipher_struct *) 0x411870
    (gdb) print cipher->aes_key
    $14 = (struct ssh_aes_key_schedule *) 0x0
    
    125     if (cipher->cleanup != NULL) {
    (gdb) print cipher->cleanup
    $15 = (void (*)(struct ssh_cipher_struct *)) 0xb7f8c07f <aes_ctr_cleanup>
    (gdb) print cipher->aes_key
    $16 = (struct ssh_aes_key_schedule *) 0x0
    

wrapper.c
    107 void ssh_cipher_clear(struct ssh_cipher_struct *cipher){
  ......
    125     if (cipher->cleanup != NULL) {
    126         cipher->cleanup(cipher);
    127     }
    128 }

The cleanup function which is defined with specific cipher i.e. aes128-ctr is called.

libcrypto.c
    704 #else /* HAVE_OPENSSL_EVP_AES_CTR */
    705   {
    706     .name = "aes128-ctr",
    ....
    714     .cleanup = aes_ctr_cleanup
    715   },

The cryptographic material used for the session contains sensitive information. To clean this sensitive information explicit_bzero() function is called. This function guarantees that compiler optimizations will not remove the erase operation if the compiler deduces that the operation is "unnecessary". 

libcrypto.c
    643 static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){
    644     explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
    645     SAFE_FREE(cipher->aes_key);
    646 }

#include <string.h>
     void
     explicit_bzero(void *b, size_t len);

     The explicit_bzero() variant behaves the same, but will not be removed by
     a compiler's dead store optimization pass, making it useful for clearing
     sensitive memory such as a password.

    433 /* Set N bytes of S to 0.  The compiler will not delete a call to this
    434    function, even if S is dead after the call.  */
    435 extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1));
It is assumed that the block which is going to be cleaned i.e. void*__s is not a null pointer. In our scenario exactly the same case triggers, the connection is not fully initialized, so value of cipher->aes_key is null pointer. 
    126         cipher->cleanup(cipher);
    (gdb) x/10xw cipher->aes_key
    0x0: Cannot access memory at address 0x0
When explicit_bzero() function tries to clean the "cipher->aes_key" information, the result is "segmentation fault" error:
    aes_ctr_cleanup (cipher=0x411870) at /home/developer/code-review/libssh-0.8.8/src/libcrypto.c:644
    644     explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));

    Program received signal SIGSEGV, Segmentation fault.
    __memset_ia32 () at ../sysdeps/i386/i686/memset.S:77
    77 in ../sysdeps/i386/i686/memset.S


Test environment: 
    OS: Debian GNU/Linux 10 (buster)
    Server: examples/ssh_server_fork.c  , removed fork() for this analysis. 
    Server-logs:

    [2020/05/05 16:32:41.639034, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=false
    [2020/05/05 16:32:41.639321, 2] ssh_pki_openssh_import:  Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1

    [2020/05/05 16:32:41.639674, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=false
    [2020/05/05 16:32:41.639929, 2] ssh_pki_openssh_import:  Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1
    [2020/05/05 16:32:41.640235, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=false
    [2020/05/05 16:32:41.640570, 2] ssh_pki_openssh_import:  Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1

    [2020/05/05 16:33:44.119994, 3] ssh_socket_pollcallback:  Received POLLOUT in connecting state
    [2020/05/05 16:33:44.120028, 3] callback_receive_banner:  Received banner: SSH-2.0-libssh_0.8.8
    [2020/05/05 16:33:44.120035, 1] ssh_server_connection_callback:  SSH client banner: SSH-2.0-libssh_0.8.8
    [2020/05/05 16:33:44.120040, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-libssh_0.8.8
    [2020/05/05 16:33:44.120060, 3] packet_send2:  packet: wrote [len=708,padding=6,comp=701,payload=701]
    [2020/05/05 16:33:44.120080, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
    [2020/05/05 16:33:45.968933, 3] ssh_packet_socket_callback:  packet: read type 20 [len=588,padding=4,comp=583,payload=583]
    [2020/05/05 16:33:45.968954, 3] ssh_packet_process:  Dispatching handler for packet type 20
    [2020/05/05 16:33:45.968974, 3] ssh_packet_kexinit:  The client supports extension negotiation. Enabled signature algorithms:  SHA512
    [2020/05/05 16:33:45.968993, 2] ssh_kex_select_methods:  Negotiated curve25519-sha256,ecdsa-sha2-nistp256,aes128-ctr,aes256-ctr,hmac-sha2-256,hmac-sha2-256,none,none,,
    [2020/05/05 16:33:45.968999, 3] crypt_set_algorithms_server:  Set output algorithm aes256-ctr
    [2020/05/05 16:33:45.969004, 3] crypt_set_algorithms_server:  Set HMAC output algorithm to hmac-sha2-256
    [2020/05/05 16:33:45.969008, 3] crypt_set_algorithms_server:  Set input algorithm aes128-ctr
    [2020/05/05 16:33:45.969013, 3] crypt_set_algorithms_server:  Set HMAC input algorithm to hmac-sha2-256
    [2020/05/05 16:33:47.811206, 1] ssh_socket_exception_callback:  Socket exception callback: 1 (0)
    [2020/05/05 16:33:47.811227, 1] ssh_socket_exception_callback:  Socket error: disconnected
    [2020/05/05 16:33:47.811255, 3] ssh_handle_key_exchange:  ssh_handle_key_exchange: current state : 9
    Socket error: disconnected
    Segmentation fault

References:









Previous Posts