Bugtraq mailing list archives
ssh-1.2.27 exploit
From: jarekk () TENET PL (Jarek Kutylowski)
Date: Mon, 13 Dec 1999 09:27:05 +0100
I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider ssh now as quite immune. It is of course possible to crash sshd, but a real attack is, in my opinion, impossible. Doing an overflow we must provide a buffer of 136 bytes length (the input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes for the EIP). Everything works fine until we reach the RSAPrivateDecrypt function in rsaref. This function checks the variable input_len, which is the length of the buffer (in our case it is minimum 136) against the variable modulus_len, which is 128. When this check fails (and it does), RSAPrivateDecrypt returns error, causing sshd to fall into a fatal error. A solution for this problem would be to overflow the input_len. On my machine this variable normally gets optimized, so there is no way. Anyway, when it is written to stack, it is saved much more before input_data, so it is unaccessible. If you have any other suggestions, I'd like to hear them. -- Jarek Kutylowski <jarekk () tcs uni wroc pl> <jarekk () tenet pl> Get my PGP public key by running "finger jarekk () tenet pl" or by WWW from "www.tenet.pl/~jarekk/pgp.txt" !!!
Current thread:
- sadmind exploits (remote sparc/x86) Marcy Abene (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Irix and TCP implementation TeSd (Dec 10)
- 64bit Sol7 on Ultra1 < 200mhz bug Jake Luck (Dec 11)
- VDO Live Player 3.02 Buffer Overflow UNYUN (Dec 12)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)