Full Disclosure mailing list archives
Re: openssh remote exploit
From: Diode Trnasistor <ffddfe () yahoo com>
Date: Tue, 16 Sep 2003 08:07:16 -0700 (PDT)
um... from xmalloc.c : xrealloc(void *ptr, size_t new_size) { void *new_ptr; if (new_size == 0) fatal("xrealloc: zero size"); if (ptr == NULL) new_ptr = malloc(new_size); else new_ptr = realloc(ptr, new_size); if (new_ptr == NULL) fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size); return new_ptr; } so yeah, i still fail to see the problem, except the the the size_t value passed to realloc comes from the structure to be reallocated. Bah..i don't get it :\ HALP! --- auto64746 () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Look closer. buffer->alloc += len + 32768; if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported",buffer->alloc); buffer->buf = xrealloc(buffer->buf, buffer->alloc); goto restart; i do not have belief of giving the codepath but we must take buffer_free and make overflow by '\0'. this is not exploit of 2.4.x as malloc never return null. unless malloc w00d00. On Mon, 15 Sep 2003 18:47:39 -0700 Darren Reed <avalon () caligula anu edu au> wrote:In some mail from auto64746 () hushmail com, sie said:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you can see the 2 bugs in this code?, seems to ofme that theocouldnot. i am of understanding that there areexploits working onthis inthe wild. 3 remote holes in default install now !Well, I can see at least one bug but it's notsecurity related:If "Buffer->alloc == X" (but offset == end == 0)and "len == X"then it allocates an extra "X + 32k" bytes rather thanfilling the existingbuffer exactly. That, however wasteful, may bepart of the designas it is hard to judge it alone like that. Maybe if you can see others you'll highlight them ? Darren-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3
wkYEARECAAYFAj9mcnUACgkQO4YmZKj9rStmlgCgoLFfoK367AkKVKs5Z6HzM6Irf6sA
nAwSR1jYB0JXpBkni1qmAUAKt4Io =b5K9 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- openssh remote exploit auto64746 (Sep 15)
- Re: openssh remote exploit Darren Reed (Sep 15)
- Re: openssh remote exploit Timo Sirainen (Sep 16)
- Re: openssh remote exploit Adam Dyga (Sep 17)
- <Possible follow-ups>
- Re: openssh remote exploit auto64746 (Sep 16)
- Re: openssh remote exploit Diode Trnasistor (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- RE: openssh remote exploit Edward W. Ray (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- Re: openssh remote exploit Mike Griffin (Sep 16)
- Re: openssh remote exploit KF (Sep 16)
- Re: openssh remote exploit Henning Brauer (Sep 16)
- Re: openssh remote exploit Peter Busser (Sep 19)
- Re: openssh remote exploit petard (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- Re: openssh remote exploit Blue Boar (Sep 16)