Bugtraq mailing list archives
exploiting the zlib bug in openssh
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 12 Mar 2002 03:57:29 -0600
A bug was found in the zlib compression library which causes inflateEnd() to incorrectly free the same chunk of memory twice when given a deformed chunk of compressed data. A PNG image was discovered (not by me) which triggers this flaw, it is attached. OpenSSH uses the zlib library to compress data when the -C option is passed to it. With version 2 of the protocol, it is possible to send compressed/encrypted messages to the remote daemon before having to authenticate (just after key exchange). This is done using SSH2_MSG_IGNORE packets in the kex2() function of sshconnect2.c. The attached patch to libpng-1.2.1 causes pngtest to dump out the contents of the buffer it passes to inflate(). This is used with the attached PNG file to obtain the buffer the OpenSSH client needs to send. The buffer size has been tweaked in libpng to match the one used in OpenSSH-3.1p1 (4096 bytes). The pngtest program will SEGV after dumping out this buffer from the PNG file. I patched the OpenSSH client to send this corrupt zlib buffer after the key exchange, the inflate() call on the remote end is returning the correct value indicating that the buffer did what it was supposed to (Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the fatal_cleanup() and inflateEnd() calls. Taking the same buffer and sticking it into the inflate() call of another application causes the desired SEGV and possible path to exploitability, so why isn't OpenSSH crashing? The attached patch applies to OpenSSH-3.1p1, if you run the daemon code it will spit out the recieved buffer (to make sure it made it across ok) and some other debugging information. The recommended command line to test this: # ./sshd -d -d -d # ./ssh -2 -C -v -v -v root@127.0.0.1 If for some reason you can't access the attachments, you can find copies of them on my web site at the following URL: http://www.digitaloffense.net/openssh_zlib/
Attachment:
ssh_zlib.diff
Description:
Attachment:
libpng_zlib_test.diff
Description:
Current thread:
- exploiting the zlib bug in openssh H D Moore (Mar 12)
- OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Michael Leo (Mar 12)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Christopher X. Candreva (Mar 13)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Brent J. Nordquist (Mar 13)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Lisa Bogar (Mar 14)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris John D Groenveld (Mar 14)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Thomas Insel (Mar 15)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Casper Dik (Mar 15)
- Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Christopher X. Candreva (Mar 13)
- OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Michael Leo (Mar 12)