Bugtraq mailing list archives

Some revelations about ssh and stackpatch

From: woloszyn () IT PL (M.C.Mar)
Date: Mon, 2 Nov 1998 16:55:57 +0100


Hi!

Over two moths ago I found that ssh uses argv[0] (if different than ssh)
as a hostname. (Nothing relevant huh? ;)
1st question: is it good?
2nd question: is it normal?

Look at this pice of sshd code:
void sighup_restart(void)
{
  log_msg("Received SIGHUP; restarting.");
  close(listen_sock);
  execvp(saved_argv[0], saved_argv);
  log_msg("RESTART FAILED: av[0]='%s', error: %s.",
      saved_argv[0], strerror(errno));
  exit(1);
}

Seems sshd does something similar.
Cool, huh?
As we read in IBM advisory log_msg just uses vsprintf to copy parsed data
to fixed 1024 bytes leght buffer.
So I tryed:
execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0);
'Cos I have stackpatch applied I saw something very strange in my
logs:
Nov  2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Server listening on port 22.
Nov  2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Generating 768 bit RSA key.
Nov  2 16:29:53 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: RSA key generation complete.

I did it as mcmar user so I tryed to log on as mcmar:

Nov  2 16:36:46 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Connection from 127.0.0.1 port 1016
Nov  2 16:36:47 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Password authentication for mcmar accepted.

And it did work.

Nov  2 16:36:54 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Closing connection to 127.0.0.1

So I logged out :)
'Cos sshd does not segfault I'm not shure what happened, but I see thet
there was "BUFFER OVERRUN ATTEMPT". Also I have no Idea WHEN my argv[0]
has changed, same sending sighup does nothing more than this:

Nov  2 16:45:04 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Received SIGHUP; restarting

I know that lookin' fer remote sshd exploit is much more fascinating, but
I'm lookin' for something else...

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsi () it pl
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

Current thread:

Some revelations about ssh and stackpatch M.C.Mar (Nov 02)
- Re: Some revelations about ssh and stackpatch Pavel Kankovsky (Nov 03)
- <Possible follow-ups>
- Re: Some revelations about ssh and stackpatch Alan J Rosenthal (Nov 03)
- Re: Some revelations about ssh and stackpatch Andy Church (Nov 04)