23140 – [CVS EXTSSH] vulnerable to man in the middle attacks (dns poisoning, etc_

Bug 23140 - [CVS EXTSSH] vulnerable to man in the middle attacks (dns poisoning, etc_

Summary: [CVS EXTSSH] vulnerable to man in the middle attacks (dns poisoning, etc_

Status:	RESOLVED FIXED

Alias:	None

Product:	Platform
Classification:	Eclipse Project
Component:	Team (show other bugs)
Version:	2.0
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	2.1 M3
Assignee:	Boris Shingarov
QA Contact:

URL:
Whiteboard:
Keywords:	investigate

Depends on:
Blocks:

Reported:	2002-09-04 02:34 EDT by Paul Nasrat
Modified:	2002-11-04 13:36 EST (History)
CC List:	0 users

See Also:

Attachments
Initial work to check keys (4.00 KB, patch) 2002-09-04 02:39 EDT, Paul Nasrat	no flags	Details \| Diff
Updated patch file (4.00 KB, patch) 2002-09-07 01:59 EDT, Paul Nasrat	no flags	Details \| Diff
Updated patch IGNORE FIRST TWO (3.38 KB, patch) 2002-09-07 02:20 EDT, Paul Nasrat	no flags	Details \| Diff
Refactored initial work to maintain state of known hosts (11.40 KB, patch) 2002-09-24 09:48 EDT, Paul Nasrat	no flags	Details \| Diff
Patch working with native known_hosts (8.27 KB, patch) 2002-11-01 12:03 EST, Boris Shingarov	no flags	Details \| Diff
Same patch without depending on 1.4 features (10.87 KB, patch) 2002-11-01 13:33 EST, Boris Shingarov	no flags	Details \| Diff
Real version (10.87 KB, patch) 2002-11-01 14:17 EST, Boris Shingarov	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Nasrat

2002-09-04 02:34:26 EDT

Tested on Linux gtk2 and Mac OS X and 10.2 Carbon - Iall other versions are vulnerable 
as they use shared codebase and is implementation.

Description of the problem:

Eclipse ships with a pure java based ssh1 client for use with cvs.  This
is enabled by selecting extssh as the method of authentication to a cvs
repository.  The client supplied is an SSH1 client and only supports
password authentication - users can use standard ext method for public
key authentication with a suitable ssh-agent (pagent, openssh, etc).

However when using the Eclipse extssh component no history of host keys
is kept.  This enables an attacker who can poison the name resolution of
the eclipse client to potentially steal passwords through a modified ssh
daemon on a server under there control.

Steps to Reproduce:

1. Set up access to an external cvs repository with extssh and a
password. (preferably with a username that doesn't exist locally eg -
notme).
Close eclipse.

2. Edit /etc/hosts to point to another ssh server (eg localhost)

3. Open eclipse and choose to browse the repository from the cvs
perspective.

4. In your auth logs you should get messages like:

sshd[1234]: Failed none for illegal user notme from xxx.xxx.xxx.xxx
port xxxx
sshd[1234]: Failed password for illegal user notme from xxx.xxx.xxx.xxx
port xxxx

In  your log (/var/log/auth.log in the case of Mandrake)

Expected results:  Should get a prompt saying key changed.

A malicious user could gain access to valuable accounts

Workaround:

Use an ssh2 client with public keys with the ext method.

Comment 1 Paul Nasrat

2002-09-04 02:39:32 EDT

Created attachment 1924 [details]
Initial work to check keys

Comment 2 Paul Nasrat

2002-09-07 01:45:18 EDT

The attachment above is incorrect.  It throws an array out of bounds exception.  The 
following patch corrects it - currently I'm forcing an IOException untill I can get the format 
of the fingerprint ala the SSH 1.5 protocol (openssh style).

Comment 3 Paul Nasrat

2002-09-07 01:59:26 EDT

Created attachment 1948 [details]
Updated patch file

Comment 4 Paul Nasrat

2002-09-07 02:18:45 EDT

Apologies again - old file got uploaded.  Ignore previous patches, fixed and sorted out 
minor whitespace differences this time as well.

Comment 5 Paul Nasrat

2002-09-07 02:20:05 EDT

Created attachment 1949 [details]
Updated patch *IGNORE FIRST TWO*

Comment 6 Paul Nasrat

2002-09-24 09:47:30 EDT

I've done some more work, tested the fingerprint is identical to OpenSSH and
gone some way to storing state.

A patch will follow

Comment 7 Paul Nasrat

2002-09-24 09:48:28 EDT

Created attachment 2050 [details]
Refactored initial work to maintain state of known hosts

Comment 8 Boris Shingarov

2002-11-01 12:03:32 EST

Created attachment 2300 [details]
Patch working with native known_hosts

Comment 9 Paul Nasrat

2002-11-01 12:55:30 EST

This patch will also work with Eclipse on OS X, but doesn't check for it.

Comment 10 Boris Shingarov

2002-11-01 13:33:15 EST

Created attachment 2301 [details]
Same patch without depending on 1.4 features

Comment 11 Boris Shingarov

2002-11-01 14:17:37 EST

Created attachment 2302 [details]
Real version

Comment 12 Michael Valenta

2002-11-01 14:48:22 EST

Fix released to HEAD

Comment 13 Boris Shingarov

2002-11-04 13:36:39 EST

Well, I'm not familiar with OS X.
The problem is that the real question to ask when determining the location of 
known_hosts would be: "do we have a native ssh installation on this platform", 
with the answer presumably yes for unix and unix-like ones.  Unfortunately, 
Core does not give us an API to ask whether the platform is unix-like.