Full Disclosure mailing list archives
Re: openssh remote exploit
From: <auto64746 () hushmail com>
Date: Mon, 15 Sep 2003 19:21:50 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Look closer. buffer->alloc += len + 32768; if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported",buffer->alloc); buffer->buf = xrealloc(buffer->buf, buffer->alloc); goto restart; i do not have belief of giving the codepath but we must take buffer_free and make overflow by '\0'. this is not exploit of 2.4.x as malloc never return null. unless malloc w00d00. On Mon, 15 Sep 2003 18:47:39 -0700 Darren Reed <avalon () caligula anu edu au> wrote:
In some mail from auto64746 () hushmail com, sie said:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you can see the 2 bugs in this code?, seems to of me that theocouldnot. i am of understanding that there are exploits working onthis inthe wild. 3 remote holes in default install now !Well, I can see at least one bug but it's not security related: If "Buffer->alloc == X" (but offset == end == 0) and "len == X" then it allocates an extra "X + 32k" bytes rather than filling the existing buffer exactly. That, however wasteful, may be part of the design as it is hard to judge it alone like that. Maybe if you can see others you'll highlight them ? Darren
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj9mcnUACgkQO4YmZKj9rStmlgCgoLFfoK367AkKVKs5Z6HzM6Irf6sA nAwSR1jYB0JXpBkni1qmAUAKt4Io =b5K9 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- openssh remote exploit auto64746 (Sep 15)
- Re: openssh remote exploit Darren Reed (Sep 15)
- Re: openssh remote exploit Timo Sirainen (Sep 16)
- Re: openssh remote exploit Adam Dyga (Sep 17)
- <Possible follow-ups>
- Re: openssh remote exploit auto64746 (Sep 16)
- Re: openssh remote exploit Diode Trnasistor (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- RE: openssh remote exploit Edward W. Ray (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- Re: openssh remote exploit Mike Griffin (Sep 16)
- Re: openssh remote exploit KF (Sep 16)
- Re: openssh remote exploit Henning Brauer (Sep 16)
- Re: openssh remote exploit Peter Busser (Sep 19)
- Re: openssh remote exploit petard (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)