Vulnerability Development mailing list archives
Re: openssh vulnerability
From: "Robert A. Seace" <ras () magrathea com>
Date: Tue, 16 Sep 2003 15:27:37 -0400 (EDT)
In the profound words of Diode Trnasistor:
In case you haven't been following it, on full disclosure there's been some mention of a new ssh vulnerability. The vulnerability is allegedly in the following sniplet of code taken from buffer.c file of openssh distrib:
[snip...]
So all that's accomplished is not using the value inside the buffer to be reallocated as the number of bytes to allocate. It is now done with a new variable. Is anyone familiar with what happens when you use realloc like they are using originally (when using a value instead the structure to reallocate as the second value to realloc). I still fail to see how this is a security problem, and would like it if someone would explain it to me. Thanx :)
I believe the problem lies in the fatal() calls... If you can force one of those to be done (the range check one or the ones inside xrealloc()), then one of the things fatal() does is call clean-up functions, and apparently one of those clean-up functions may call buffer_free() on that same buffer that's in the process of being grown... (I didn't track down all the clean-up functions to see if this really gets done, but that seems to be only possible concern I can think of...) And, for some reason (presumably to wipe sensitive info from RAM, though I tend to think it's a bit of overkill paranoia), buffer_free() memset()'s the buffer full of null bytes before freeing it... And, so for this buffer currently being grown, it would memset() using the new length that it's trying to grow to, however that space wouldn't actually be allocated for it, hence it'd write nulls off the end... But, as near as I can see, we're only talking about writing nulls... And, I'm not sure I see how it can be controlled in any reasonable way to actually allow anything more than crashing the thing (which it was already in the process of doing on its own, thanks to the fatal(), anyway!)... But, maybe someone else smarter or more devious than I has a way to make it execute code?? *shrug* -- ||========================================================================|| || Rob Seace || URL || ras () magrathea com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob () wordstock com || ||========================================================================|| "You know, it's at times like this, when I'm trapped in a Vogon airlock with a man from Betelgeuse, and about to die of asphyxiation in deep space, that I really wish I'd listened to what my mother told me when I was young." "Why, what did she tell you?" "I don't know, I didn't listen." - The Hitchhiker's Guide to the Galaxy
Current thread:
- Cannot access memory at address 0x90909090 Ingram (Sep 11)
- Re: Cannot access memory at address 0x90909090 fr0stman (Sep 11)
- <Possible follow-ups>
- Re: Cannot access memory at address 0x90909090 DownBload (Sep 12)
- Re: Cannot access memory at address 0x90909090 . npguy (Sep 13)
- openssh vulnerability Diode Trnasistor (Sep 16)
- Re: openssh vulnerability Przemyslaw Frasunek (Sep 16)
- Re: openssh vulnerability Robert A. Seace (Sep 16)
- openssh vulnerability Diode Trnasistor (Sep 16)