oss-sec mailing list archives

Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)


From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 23 Feb 2023 14:59:32 +0000

Hi Demi,

On Wed, Feb 22, 2023 at 10:17:19AM -0500, Demi Marie Obenour wrote:
Is it possible to use this information leak to bypass ASLR without
crashing the process?

Unfortunately, no: sshd calls _exit() immediately after this information
leak, and fork()s + re-execv()s itself (and therefore re-randomizes its
address space) the next time we connect to it; i.e., a memory address
leaked in one connection is useless in another connection.

Also, is this flaw expected to be exploitable for code execution on
GNU/Linux?

We are focusing on OpenBSD for now, because its malloc seems more
compatible with this particular double-free bug than glibc's malloc; we
will look into glibc/Linux at some point, and will keep you posted.

Thank you very much! With best regards,

-- 
the Qualys Security Advisory team

Current thread: