Full Disclosure mailing list archives

Re: openssh remote exploit

From: <auto64746 () hushmail com>
Date: Mon, 15 Sep 2003 19:21:50 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Look closer.

buffer->alloc += len + 32768;
   if (buffer->alloc > 0xa00000)
   fatal("buffer_append_space: alloc %u not supported",buffer->alloc);

buffer->buf = xrealloc(buffer->buf, buffer->alloc);
goto restart;

i do not have belief of giving the codepath but we must take buffer_free
and make overflow by '\0'.
this is not exploit of 2.4.x as malloc never return null. unless malloc
w00d00.

On Mon, 15 Sep 2003 18:47:39 -0700 Darren Reed <avalon () caligula anu edu au>
wrote:

In some mail from auto64746 () hushmail com, sie said:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

you can see the 2 bugs in this code?, seems to of me that theo

could

not. i am of understanding that there are exploits working on

this in

the wild. 3 remote holes in default install now !


Well, I can see at least one bug but it's not security related:

If "Buffer->alloc == X" (but offset == end == 0) and "len == X"
then
it allocates an extra "X + 32k" bytes rather than filling the existing
buffer exactly.  That, however wasteful, may be part of the design
as
it is hard to judge it alone like that.

Maybe if you can see others you'll highlight them ?

Darren

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9mcnUACgkQO4YmZKj9rStmlgCgoLFfoK367AkKVKs5Z6HzM6Irf6sA
nAwSR1jYB0JXpBkni1qmAUAKt4Io
=b5K9
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

openssh remote exploit auto64746 (Sep 15)
- Re: openssh remote exploit Darren Reed (Sep 15)
- Re: openssh remote exploit Timo Sirainen (Sep 16)
- Re: openssh remote exploit Adam Dyga (Sep 17)
- <Possible follow-ups>
- Re: openssh remote exploit auto64746 (Sep 16)
  - Re: openssh remote exploit Diode Trnasistor (Sep 16)
  - Re: openssh remote exploit Darren Reed (Sep 16)
    - RE: openssh remote exploit Edward W. Ray (Sep 16)
    - Re: openssh remote exploit Darren Reed (Sep 16)
    - Re: openssh remote exploit Mike Griffin (Sep 16)
    - Re: openssh remote exploit KF (Sep 16)
    - Re: openssh remote exploit Henning Brauer (Sep 16)
    - Re: openssh remote exploit Peter Busser (Sep 19)
    - Re: openssh remote exploit petard (Sep 16)
    - Re: openssh remote exploit Darren Reed (Sep 16)

(Thread continues...)