Bugtraq mailing list archives

Re: A couple of patches (RFC931 and scp location)

From: simmonmt () CS PURDUE EDU (Matt Simmons)
Date: Sun, 8 Jun 1997 17:08:23 -0500


I added the authuser code from wu-ftpd 2.4 to ssh, and mentioned it in
a post to the ssh list.  One of the subscribers to that list, Benjamin
Stassart, looked through it and found a possible buffer overrun.  His
message is included below - it refers to authuser.c from the support
directory of the wu-ftpd distribution.  Is this overrun exploitable
and therefore nasty & bad?

Matt

Benjamin J Stassart <dszd0g () dasb fhda edu> writes:

[...]

Also, unless I am mistaken it appears you could over-run one of the
buffers in authuser.c with spaces or tabs.  What this would be able to
accomplish I do not know, but it should be fixed.

        while ((w = read(s, &ch, 1)) == 1) {
                *buf = ch;
                if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
                        ++buf;
                if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
'\n'))
                        break;
        }

Switching the if statements should fix the problem I believe?

[...]

As for ease of overflowing the buffer, I would say pretty easy.  I have
hacked up pidentd source quite a bit.  It is not difficult.  Since the
buffer is just read directly from the socket, well...

Benjamin J. Stassart

Current thread:

Re: A couple of patches (RFC931 and scp location) Matt Simmons (Jun 08)
- Re: A couple of patches (RFC931 and scp location) Joe Zbiciak (Jun 09)
- Re: A couple of patches (RFC931 and scp location) Paul B. Henson (Jun 09)
- Bad permissions (644) on /etc/shadow after editing via Krzysztof G. Baranowski (Jun 10)
- Q142047: Bad Network Packet May Cause Access Violation (AV) on Aleph One (Jun 10)
- Q167629: Predictable Query IDs Pose Security Risks for DNS Servers Aleph One (Jun 10)
- Q169461: Access Violation in DNS.EXE Caused by Malicious Telnet Aleph One (Jun 10)