Re: openssh vulnerability

["Robert A. Seace" <ras () magrathea com>]

In the profound words of Diode Trnasistor:
> In case you haven't been following it, on full
> disclosure there's been some mention of a new ssh
> vulnerability.
>
> The vulnerability is allegedly in the following
> sniplet of code taken from buffer.c file of openssh
> distrib:
[snip...]
> So all that's accomplished is not using the value
> inside the buffer to be reallocated as the number of
> bytes to allocate.  It is now done with a new
> variable.
>
> Is anyone familiar with what happens when you use
> realloc like they are using originally (when using a
> value instead the structure to reallocate as the
> second value to realloc).  I still fail to see how
> this is a security problem, and would like it if
> someone would explain it to me.  Thanx :)

        I believe the problem lies in the fatal() calls...  If you
can force one of those to be done (the range check one or the
ones inside xrealloc()), then one of the things fatal() does is
call clean-up functions, and apparently one of those clean-up
functions may call buffer_free() on that same buffer that's in
the process of being grown...  (I didn't track down all the
clean-up functions to see if this really gets done, but that
seems to be only possible concern I can think of...)  And, for
some reason (presumably to wipe sensitive info from RAM, though
I tend to think it's a bit of overkill paranoia), buffer_free()
memset()'s the buffer full of null bytes before freeing it...
And, so for this buffer currently being grown, it would memset()
using the new length that it's trying to grow to, however that
space wouldn't actually be allocated for it, hence it'd write
nulls off the end...  But, as near as I can see, we're only
talking about writing nulls...  And, I'm not sure I see how it
can be controlled in any reasonable way to actually allow anything
more than crashing the thing (which it was already in the process
of doing on its own, thanks to the fatal(), anyway!)...  But,
maybe someone else smarter or more devious than I has a way to
make it execute code?? *shrug*

-- 
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"You know, it's at times like this, when I'm trapped in a Vogon
 airlock with a man from Betelgeuse, and about to die of
 asphyxiation in deep space, that I really wish I'd listened to
 what my mother told me when I was young."
"Why, what did she tell you?"
"I don't know, I didn't listen."
        - The Hitchhiker's Guide to the Galaxy