Try   HackMD

libssh code audit

Focus

  • Check the state machine and all transitions
  • Check input sanitization (both from function parameters and configuration files)
    • config file parsing (src/config.c)
    • ssh key parsing (src/pki_container*.c)
    • known_hosts file parsing (src/knownhosts.c)

Security process

https://www.libssh.org/development/security-process/

Examples

Server: examples/ssh_server_fork.c
Client: examples/ssh_client.c

Fuzzing

See tests/fuzz

https://github.com/google/oss-fuzz/tree/master/projects/libssh

Currently only the first state of the state machine after connect is fuzzed. We miss inputs (starting points) for oss-fuzz.

For this libssh would need to be extened that in src/socket.c the packets are also written to a file (client and server).

https://gitlab.com/libssh/libssh-mirror/merge_requests/59

We need a client and server similar to the fuzzer so we can create traces.

Example:

https://gitlab.com/gnutls/gnutls/blob/master/fuzz/README-adding-traces.md

Those traces should be feeded into American Fuzzy Loop so it creates variation of those inputs (needs to run for 2 days).

Communication

IRC: #libssh-pentest @ Freenode

People to talk to:

  • Andreas Schneider
    • IRC: gladiac
    • Matrix: @asn:matrix.org
  • Jakub Jelen
    • IRC: jjelen
  • Anderson Sasaki
    • IRC: ansasaki
  • Aris Adamantiadis
    • IRC: ar1s

Schedule

Possibly CW39 & CW40

State machine:

The state machine is not implemented in a single file, but it is scattered in the code, which makes it hard to find the exact global state. It is basically a composition of various state machines.

The global state is composed by the session state (session->session_state) and the states of the other contexts (session->socket_state, session->dh_handshake_state, session->auth.state, session->global_req_state, channel->state, etc.).

When a state machine is started, the callbacks and an initial state are set. These callbacks usually change the session->pending_call_state to the current operation being performed, which is expected to be called again in non-blocking sessions. Then a message is sent to the server and a reaction from the server is expected. The packets from the server are captured by the socket polling, which calls the appropriate callbacks for each message type (see packet.c). These callbacks change the global state by changing the session state or the state of one of the other contexts.

The incoming packets are filtered (in ssh_packet_incoming_filter() in packet.c) by the expected global state before being processed (by ssh_packet_process()). Although not complete, it is possible to see the majority of the expected transitions made by the callbacks, documented in comments. In the beginning of the packet.c file, it is possible to see the default callbacks called for each message type.

If the session is non-blocking, it is expected the API to be called many times, while the return is SSH_AGAIN. If the session is blocking, the call will block in a loop.

For example to connect to a host as a client:

  • Call ssh_connect(), which sets the callback as ssh_client_connection_callback, the session state to SSH_SESSION_STATE_CONNECTING, and pending_call_state to PENDING_CALL_CONNECT
    • This will call ssh_handle_packets(), which will poll the socket and call the appropriate callbacks for each packet arriving
  • The session state changes to SSH_SESSION_STATE_SOCKET_CONNECTED when the socket connection is stablished
  • The client sends the banner. Then it expects the server to send its banner
  • The server sends its banner. The polling gets the packet and calls callback_receive_banner() setting the state to SSH_SESSION_BANNER_RECEIVED
  • The client sends the initial key exchange info and sets the session state as SSH_SESSION_STATE_INITIAL_KEX
  • The polling gets the server packet with its initial key exchange info; the client changes the state to SSH_SESSION_STATE_KEXINIT_RECEIVED
  • The client selects the key exchange methods, sets the session state as SSH_SESSION_STATE_DH, and starts the key exchange (a.k.a DH) state machine by calling dh_handshake()
    • The session state does not change until the state machine handling the key exchange is finished, which is informed by the session->dh_handshake_state
  • When the key exchange is finished, the state is changed to SSH_SESSION_AUTHENTICATING.
    • Again, this doesn't change until the state machine handling the authentication finishes, setting the session->session_state to SSH_SESSION_AUTHENTICATED or SSH_SESSION_STATE_ERROR

Now the key exchange is finished and the user can use one of the authentication methods to authenticate.

tags: libssh
Last changed by 
Andreas Schneider
0
470

Read more

Samba Debugging

Maybe one of the most important tools we have. The testparm utility checks if the the smb.conf is valid. Run

Jul 18, 2023
Hack together

Run Samba Selftest rlRun "chown -R $USER:$USER $TmpDir" 0 "change owner of $TmpDir to $USER" # Unpacks RPM in $HOME/rpmbuild/SOURCES and unpacks tarball to $HOME/rpmbuild/BUILD rlRun "rpmbuild -rp samba-4.16.2-101.el9.src.rpm" 0 "Unpack RPM and apply patches" rlRun "$SU_CMD CFLAGS='-O1 -g -ggdb -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -fasynchronous-unwind-tables -fstack-clash-protection' ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-fhs --with-piddir=/run --with-sockets-dir=/run/samba --with-modulesdir=/usr/lib64/samba --with-pammodulesdir=/usr/lib64/security --with-lockdir=/var/lib/samba/lock --with-statedir=/var/lib/samba --with-cachedir=/var/lib/samba --disable-rpath-install --with-shared-modules=idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_wbc,auth_unix,auth_server,auth_samba4,vfs_dfs_samba4 '--bundled-libraries=!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb,!pyldb-util' --with-pam --with-pie --with-relro --without-fam --with-system-mitkrb5 --with-experimental-mit-ad-dc --disable-glusterfs --with-cluster-support --with-profiling-data --with-systemd --with-quotas --enable-selftest" rlRun "$SU_CMD make -j4" && rlRun "touch /root/make_successful"

Jun 27, 2022
Day of Learning: neovim 0.5.0

by Andreas Schneider Introduction Finally neovim 0.5.0 has been released. This release represents ~4000 commits since v0.4.4, the previous non-maintenance release. Highlights include builtin support for Lanugage Server Protocol (LSP), new APIs for extended marks (with byte resolution tracking of changes) and buffer decorations, as well as vast improvements to lua as a plugin and configuration language. Experimental support for tree-sitter as a syntax engine is also included, building on the new core APIs for byte tracking and decorations. https://github.com/neovim/neovim/commit/a5ac2f45ff84a688a09479f357a9909d5b914294 Till now your config was going to init.nvim. As Vimscript is an interpredted language and slow, neovim supports lua for config files now (init.lua). This makes a lot of stuff faster. However vimscript support will not go away.

Jul 29, 2021
Samba TODO

TEST: Add echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c getusername echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c getusername -> https://gitlab.com/samba-team/samba/-/merge_requests/1271 Migrate s3 client code to cli_credentials

Nov 12, 2020
Read more from Andreas Schneider
Published on HackMD