Re: OpenSSH Vulnerability

["Alexander E. Cuttergo" <cuttergo () gmx net>]

On Thu, Sep 18, 2003 at 2:57AM, Adam Gilmore wrote:
> The input buffer
> is the one we're hoping to overflow as it's the only one that has a looped
> buffer_append() (which then calls buffer_append_space).
No. At least, you can overflow "compression_buffer". Look at
buffer_uncompress(). The added benefit is you need to send only about 12Kb of
data to crash sshd, not 15MB. In this case, if privilege separation is
enabled,the crash happens in an unprivileged process.
In case of Linux, the trouble is, such a large memory area is allocated via
mmap. It is also the only such large area - therefore there is no mapped
memory after compression_buffer when it overflows. So, sshd crashes in
memcpy() attempting to access non-mapped memory, which is not exploitable.
Perhaps it is possible to force compression_buffer to be allocated on heap
(if previously enough memory was freed), I failed to do so.
It would be easier to exploit out-of-memory condition. But it requires
additional bug to consume all memory on an attacked host. By default, sshd
allows only 10 unauthenticated sessions, so by sshd you can only consume ca
20MBx10=200MB, which is not enough.

peace,
algo

Attachment: _bin
Description: