oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: about this openssh heap overflow

From: mancha <mancha1 () zoho com>
Date: Sat, 16 May 2015 22:21:23 +0000
On Sat, May 16, 2015 at 11:47:14PM +0200, Hanno Böck wrote:

On Sat, 16 May 2015 21:10:07 +0000 mancha <mancha1 () zoho com> wrote:


So, we're dealing with an OOB *read* triggered by a crafted config.
By the way, if an attacker has write privileges to your config you
have bigger fish to fry.


Uh no. Has nothing to do with the config (you may mix this up with
another issue I recently reported to ssh regarding config parsing, but
that's unrelated).

It's an OOB triggered in the client by a specific banner string from
the server.


My git repo was out of sync so 26e0bcf766fadb4 came up after:

$ git log -i --grep Hanno

After a git pull I see 77199d6ec8986d4 is the fix for the issue you're
talking about. I stand corrected.


Notices are already going up describing this as heap buffer overflow
with "high" risk. [1]


That's of course bogus.


Not everyone will realize that.




Serves as a good reminder that context and phrasing are critically
important when publicly discussing bugs with possible security
impact in order to avoid tsunamis of the-sky-is-falling posts &
articles.


One take away from this story for me - also after criticism I got on
twitter: The term "heap overflow" seems to be prone for
misunderstanding.  Some people consider every out of bounds thing an
"overflow", some think that only oob writes should be considered
"overflows.

To avoid confusion I'll call similar issues "out of bounds read"
instead of "read heap overflow" in the future. Probably a wording less
prone to misunderstandings.


Good idea. 



(address sanitizer calls every oob read a heap/stack/global buffer
overflow, that is the main reason I used that term in the past - I
often sticked to the wording address sanitizer used)


Another take-away might be to be extra careful when discussing potential
security issues with critical security infrastructure such as OpenSSL
and OpenSSH.

--mancha

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: