| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ffddfe at yahoo.com (Diode Trnasistor)
Subject: openssh remote exploit
um...
from xmalloc.c :
xrealloc(void *ptr, size_t new_size)
{
void *new_ptr;
if (new_size == 0)
fatal("xrealloc: zero size");
if (ptr == NULL)
new_ptr = malloc(new_size);
else
new_ptr = realloc(ptr, new_size);
if (new_ptr == NULL)
fatal("xrealloc: out of memory (new_size %lu
bytes)", (u_long) new_size);
return new_ptr;
}
so yeah, i still fail to see the problem, except the
the the size_t value passed to realloc comes from the
structure to be reallocated. Bah..i don't get it :\
HALP!
--- auto64746@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Look closer.
>
> buffer->alloc += len + 32768;
> if (buffer->alloc > 0xa00000)
> fatal("buffer_append_space: alloc %u not
> supported",buffer->alloc);
>
> buffer->buf = xrealloc(buffer->buf, buffer->alloc);
> goto restart;
>
> i do not have belief of giving the codepath but we
> must take buffer_free
> and make overflow by '\0'.
> this is not exploit of 2.4.x as malloc never return
> null. unless malloc
> w00d00.
>
> On Mon, 15 Sep 2003 18:47:39 -0700 Darren Reed
> <avalon@...igula.anu.edu.au>
> wrote:
> >In some mail from auto64746@...hmail.com, sie said:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> you can see the 2 bugs in this code?, seems to of
> me that theo
> >could
> >> not. i am of understanding that there are
> exploits working on
> >this in
> >> the wild. 3 remote holes in default install now !
> >
> >Well, I can see at least one bug but it's not
> security related:
> >
> >If "Buffer->alloc == X" (but offset == end == 0)
> and "len == X"
> >then
> >it allocates an extra "X + 32k" bytes rather than
> filling the existing
> >buffer exactly. That, however wasteful, may be
> part of the design
> >as
> >it is hard to judge it alone like that.
> >
> >Maybe if you can see others you'll highlight them ?
> >
> >Darren
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> https://www.hushtools.com/verify
> Version: Hush 2.3
>
>
wkYEARECAAYFAj9mcnUACgkQO4YmZKj9rStmlgCgoLFfoK367AkKVKs5Z6HzM6Irf6sA
> nAwSR1jYB0JXpBkni1qmAUAKt4Io
> =b5K9
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to
> get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush
> Messenger
>
https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail
> Affiliate Program:
>
https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Powered by blists - more mailing lists