lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030916150716.21180.qmail@web41607.mail.yahoo.com>
From: ffddfe at yahoo.com (Diode Trnasistor)
Subject: openssh remote exploit

um...

from xmalloc.c :
xrealloc(void *ptr, size_t new_size)
{
	void *new_ptr;

	if (new_size == 0)
		fatal("xrealloc: zero size");
	if (ptr == NULL)
		new_ptr = malloc(new_size);
	else
		new_ptr = realloc(ptr, new_size);
	if (new_ptr == NULL)
		fatal("xrealloc: out of memory (new_size %lu
bytes)", (u_long) new_size);
	return new_ptr;
}

so yeah, i still fail to see the problem, except the
the the size_t value passed to realloc comes from the
structure to be reallocated.  Bah..i don't get it :\ 
HALP!

--- auto64746@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Look closer.
> 
> buffer->alloc += len + 32768;
>    if (buffer->alloc > 0xa00000)
>    fatal("buffer_append_space: alloc %u not
> supported",buffer->alloc);
> 
> buffer->buf = xrealloc(buffer->buf, buffer->alloc);
> goto restart;
> 
> i do not have belief of giving the codepath but we
> must take buffer_free
> and make overflow by '\0'.
> this is not exploit of 2.4.x as malloc never return
> null. unless malloc
> w00d00.
> 
> On Mon, 15 Sep 2003 18:47:39 -0700 Darren Reed
> <avalon@...igula.anu.edu.au>
> wrote:
> >In some mail from auto64746@...hmail.com, sie said:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> you can see the 2 bugs in this code?, seems to of
> me that theo
> >could
> >> not. i am of understanding that there are
> exploits working on
> >this in
> >> the wild. 3 remote holes in default install now !
> >
> >Well, I can see at least one bug but it's not
> security related:
> >
> >If "Buffer->alloc == X" (but offset == end == 0)
> and "len == X"
> >then
> >it allocates an extra "X + 32k" bytes rather than
> filling the existing
> >buffer exactly.  That, however wasteful, may be
> part of the design
> >as
> >it is hard to judge it alone like that.
> >
> >Maybe if you can see others you'll highlight them ?
> >
> >Darren
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> https://www.hushtools.com/verify
> Version: Hush 2.3
> 
>
wkYEARECAAYFAj9mcnUACgkQO4YmZKj9rStmlgCgoLFfoK367AkKVKs5Z6HzM6Irf6sA
> nAwSR1jYB0JXpBkni1qmAUAKt4Io
> =b5K9
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> Concerned about your privacy? Follow this link to
> get
> FREE encrypted email: https://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush
> Messenger
>
https://www.hushmail.com/services.php?subloc=messenger&l=434
> 
> Promote security and make money with the Hushmail
> Affiliate Program: 
>
https://www.hushmail.com/about.php?subloc=affiliate&l=427
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ