Vulnerability Development mailing list archives

Re: ssh-1.2.27 remote buffer overflow - exploitable

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Tue, 9 Nov 1999 11:04:19 -0500


On Tue, Nov 09, 1999 at 01:48:53AM -0000, Frank wrote:

This is submitted to the Freebsd bug tracking system, although there
are doubtless other vendors who leave this package, despite the
existence of the ssh-2.X.  While Debian appears to be immune, I was
able to crash my ssh daemon (much to my dismay), and there appears
the potential to execute arbitrary code, as long as you encrypt it
first...


Debian is immune for the (somewhat messy) reasons that they do not link
ssh to rsaref, last time that I checked.

Here is the freebsd report.. it describes the method to crash a
remote Ssh daemon (lets hope you ran sshd from your xinetd, etc).

http://www.freebsd.org/cgi/query-pr.cgi?pr=14749


Yep, I see the problem.  I'm trying to figure out enough of the
internals of this to patch it right now.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

Current thread:

ssh-1.2.27 remote buffer overflow - exploitable Frank (Nov 08)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Jochen Bauer (Nov 09)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Daniel Jacobowitz (Nov 09)
  - Re: ssh-1.2.27 remote buffer overflow - exploitable Markus Friedl (Nov 11)
  - [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] Blue Boar (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Daniel Jacobowitz (Nov 09)
- Re: ssh-1.2.27 remote buffer overflow - exploitable -- OFF TOPIC Bill Smargiassi (Nov 09)
- thttpd 2.04 stack overflow D. J. Bernstein (Nov 09)