Vulnerability Development mailing list archives
[Fwd: sshd ioctl bug?]
From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Fri, 22 Feb 2002 13:08:07 -0300
--- Begin Message --- From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Fri, 22 Feb 2002 13:07:22 -0300
"Gabriel A. Maggiotti" wrote:------------------------------------------------------------------------ --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: Febrary 03, 2002 E-mail: gmaggiot () ciudad com ar --------------------------------------------------------------------------- I have recently found a new bug in sshd deamons, I tested successfully this versions: - SSH-1.99-OpenSSH_2.1.1 - SSH-1.99-OpenSSH_2.9p2 - SSH-1.99-OpenSSH_3.0p1 If you send a langer string occurs this: perl -e 'printf "A"x111100' >a telnet host 22 < a <quote> Escape character is '^]'. SSH-1.99-OpenSSH_2.9p2 pluto.net: Inappropriate ioctl for device Protocol mismatch. Connection closed by foreign host. </quote> I tested and if the string is smaller than 16384 nothing occurs, see: <quote> [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a [root@pluto openssh-2.9p2]# telnet pluto 22 <a Trying 192.168.0.2... Connected to pluto.net. Escape character is '^]'. SSH-1.99-OpenSSH_2.9p2 pluto.net: Inappropriate ioctl for device Protocol mismatch. </quote> and if is just 16384... <quote> [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a [root@pluto openssh-2.9p2]# telnet pluto 22 <a Trying 192.168.0.2... Connected to pluto.net. Escape character is '^]'. pluto.net: Inappropriate ioctl for device SSH-1.99-OpenSSH_2.9p2 Protocol mismatch. Connection closed by foreign host. </quote> Is this a real security problem? --------------------------------------------------------------------------- research-listi () qb0x net is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-list () qb0x ne t send a blank email to research-list-subscribe () qb0x net. More help available sending an email to research-list-help () qb0x net. Note: the list doesn't allow html, it will be stripped from messages. ---------------------------------------------------------------------------I make a big mistake, the ioctl error wasn't sshd error, the telnet client do it. I prove it with nc and nothing occurs, sorry .
--- End Message ---
Current thread:
- [Fwd: sshd ioctl bug?] Gabriel A. Maggiotti (Feb 22)