Re: SSH exploit

[nahual () S0D SAL ITESM MX (El Nahual)]

Eerrrmmmm being fast here there is already an exploit going on there,
s0d's server got hit by it, we are still examing the logs and look very
very promissing on discovering what is going on (looks like remote root is
posible)

If anyone is interested email me because I don't think everyone wants to
recieve the entire log (wich is quite large!)

El Nahual
"Your soul is mine, 'cause mine is the nahual"

On Wed, 24 Nov 1999, Gerardo Richarte wrote:

> Sebastian wrote:
>
> > The problem is you cannot reach the input_len varible, since it is a
> > register. Therefore the RSA check fails and the program exit's before it
> > issues a ret.
>
>       Why you think you need to overwrite input_len?
>
>       we successfully overwritted input_data[], then we overwritted every
> input argument, but we are only interested in key, which is what RSA
> uses to compare input_len to. So we put in key a pointer to the stack,
> where we placed a key structure similar to the original, but with the
> field bits choosen so almost every test in RSA is passed.
>       The main problem we have, after the decription is performed, is that
> when RSAPrivateBlock does its final NN_Decode() there is a buffer
> overflow (more on this in a future advisory) in RSA ref that we couldn't
> avoid.
>
>       Anyway, input_len is defined after input_data[], so would not be
> overwriteable even if it were not in a register.
>
>       richie
>
> --
> A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
> Investigacion y Desarrollo - CoreLabs - Core SDI
> http://www.core-sdi.com
>
> --- For a personal reply use gera () core-sdi com