lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: hb-fulldisclosure at bsws.de (Henning Brauer) Subject: openssh exploit code? On Mon, Oct 13, 2003 at 12:13:14AM -0700, security snot wrote: > Can you provide any sort of technical argument as to why this bug is not > exploitable? sure. look what happens: buffer->alloc += len + 32768; if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", buffer->alloc); buffer->buf = xrealloc(buffer->buf, buffer->alloc); the error condition is xrealloc failing. xrealloc is a wrapper for realloc, which does proper error checking, and calls fatal() on error. there is the bug - fatal uses the buffer. what happens is basically bzero(buffer->buf, buffer->alloc); as buffer->alloc is already increased, but buffer->buf is still the old len, we bzero too much. now please explain me how this is exploitable. > Or are you going to simply stand behind the typical OpenBSD > zealot view and say it can't be exploited, only because there is not > public "proof of concept" code available? "I have an exploit but I don't show it", yeah, sure. we analyzed the bug of course. don't get me wrong: This is a bug, our action of re-building all release sets with the fix was absolutely the way to go (even given it was a major PITA and a _lot_ od work), and this is a bad bug that should be fixed ASAP, and everybody out there running sshd should upgrade/patch asap if not done yet. However, I absolutely fail to see how this should lead to arbitary code execution on a unix system with a reasonable malloc implementation. It's a remote DoS. > ISS' X-Forces claim to have created a working proof-of-concept code for > the bug. Are you calling those respectable young men and woman liars? if they claim they have an exploit that leads to arbitary code execution: yes I do, until we get proof. I won't answer the rest of your mail which is entirely FUD. You ask for proof? WHat about YOU proving your statements? Just claiming something without any proof is nothing but FUD. > ps: provide an adequate technical discussion against the exploitability of > this particular bug, and if it proves to be sound I'll release an exploit > for a different unpublished OpenSSH bug for you guys to write up some > advisories on! (err, must be FUD:) please do. this way it is just FUD. prove your claims. -- Henning Brauer, BS Web Services, http://bsws.de hb@...s.de - henning@...nbsd.org Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Powered by blists - more mailing lists