[Fwd: sshd ioctl bug?]

["Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>]

> --- Begin Message ---
>
>
> From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
>
> Date: Fri, 22 Feb 2002 13:07:22 -0300
>
> "Gabriel A. Maggiotti" wrote:
>
> >   ------------------------------------------------------------------------
> > ---------------------------------------------------------------------------
> > Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
> > Date: Febrary 03, 2002                  E-mail: gmaggiot () ciudad com ar
> > ---------------------------------------------------------------------------
> >
> > I have recently found a new bug in sshd deamons, I tested successfully
> > this versions:
> >
> > - SSH-1.99-OpenSSH_2.1.1
> > - SSH-1.99-OpenSSH_2.9p2
> > - SSH-1.99-OpenSSH_3.0p1
> >
> > If you send a langer string occurs this:
> >
> > perl -e 'printf "A"x111100' >a
> > telnet host 22 < a
> >
> > <quote>
> > Escape character is '^]'.
> > SSH-1.99-OpenSSH_2.9p2
> > pluto.net: Inappropriate ioctl for device
> > Protocol mismatch.
> > Connection closed by foreign host.
> > </quote>
> >
> > I tested and if the string is smaller than 16384 nothing occurs, see:
> >
> > <quote>
> >
> > [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a
> > [root@pluto openssh-2.9p2]# telnet pluto 22 <a
> > Trying 192.168.0.2...
> > Connected to pluto.net.
> > Escape character is '^]'.
> > SSH-1.99-OpenSSH_2.9p2
> > pluto.net: Inappropriate ioctl for device
> > Protocol mismatch.
> >
> > </quote>
> >
> > and if is just 16384...
> >
> > <quote>
> >
> > [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a
> > [root@pluto openssh-2.9p2]# telnet pluto 22 <a
> > Trying 192.168.0.2...
> > Connected to pluto.net.
> > Escape character is '^]'.
> > pluto.net: Inappropriate ioctl for device
> > SSH-1.99-OpenSSH_2.9p2
> > Protocol mismatch.
> > Connection closed by foreign host.
> >
> > </quote>
> >
> > Is this a real security problem?
> >
> > ---------------------------------------------------------------------------
> > research-listi () qb0x net is dedicated to interactively researching vulnerab-
> > ilities, report potential or undeveloped holes in any kind of computer system.
> > To  subscribe to   research-list () qb0x ne t send a blank  email  to
> > research-list-subscribe () qb0x net. More help  available  sending an email
> > to research-list-help () qb0x net.
> > Note: the list doesn't allow html, it will be stripped from messages.
> > ---------------------------------------------------------------------------
>
> I make a big mistake,  the ioctl error wasn't sshd error,  the telnet client do
> it.  I prove it with nc and nothing occurs, sorry .
>
>
>
> --- End Message ---