Vulnerability Development mailing list archives
Re: OpenSSH Vulnerability
From: "Alexander E. Cuttergo" <cuttergo () gmx net>
Date: Thu, 18 Sep 2003 11:35:21 -0700
On Thu, Sep 18, 2003 at 2:57AM, Adam Gilmore wrote:
The input buffer is the one we're hoping to overflow as it's the only one that has a looped buffer_append() (which then calls buffer_append_space).
No. At least, you can overflow "compression_buffer". Look at buffer_uncompress(). The added benefit is you need to send only about 12Kb of data to crash sshd, not 15MB. In this case, if privilege separation is enabled,the crash happens in an unprivileged process. In case of Linux, the trouble is, such a large memory area is allocated via mmap. It is also the only such large area - therefore there is no mapped memory after compression_buffer when it overflows. So, sshd crashes in memcpy() attempting to access non-mapped memory, which is not exploitable. Perhaps it is possible to force compression_buffer to be allocated on heap (if previously enough memory was freed), I failed to do so. It would be easier to exploit out-of-memory condition. But it requires additional bug to consume all memory on an attacked host. By default, sshd allows only 10 unauthenticated sessions, so by sshd you can only consume ca 20MBx10=200MB, which is not enough. peace, algo
Attachment:
_bin
Description:
Current thread:
- OpenSSH Vulnerability Adam Gilmore (Sep 18)
- <Possible follow-ups>
- Re: OpenSSH Vulnerability Alexander E. Cuttergo (Sep 18)
- Re: OpenSSH Vulnerability weigelt (Sep 18)
- Re: OpenSSH Vulnerability Ryan Veety (Sep 18)
- Re: OpenSSH Vulnerability Adam (Sep 19)