lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <nnekyc90an.fsf@fafner.lysator.liu.se>
From: nisse at lysator.liu.se (Niels Möller)
Subject: lsh patch (was Re: new ssh exploit?)

I wrote:

> > I'm *not* going to bet that it isn't exploitable. I'll try to get new
> > releases out within a few days, until then, I recommend that you apply
> > the above patch to lshd and recompile, or disable lshd service.

Carl Livitt <carl@...rningshophull.co.uk> writes:

> I would recommend that too. Attached is a revised version of the exploit I 
> posted earlier with a couple more targets.... it also works against lsh 
> running 'daemonic', ie. started as a daemon and not just against lshd running 
> in the foreground.

If you have the time, I would much appreciate if you could try the
patched version of lsh. I'm not able to crash it be sending random
data, but some independent testing would be valuable.

The versions to be released shortly fixes the buffer overrun in the
initial handshake, and two other bugs of similar character (but
different consequences).

I append the interesting part of the current patch for lsh-1.4.2. To
be able to compile it without trigging regenreation of the
corresponding .x-files, touch those files before running make.

As far as I can tell, the last chunk of the patch, for read_line.c, is
the bug that's been exploited.

Regards,
/Niels

diff -u -p -r1.26 -r1.26.2.1
--- src/channel_commands.c	27 Sep 2001 06:26:58 -0000	1.26
+++ src/channel_commands.c	19 Sep 2003 12:15:37 -0000	1.26.2.1
@@ -57,6 +57,7 @@ do_channel_open_command(struct command *
 		      make_channel_open_exception(
 			SSH_OPEN_RESOURCE_SHORTAGE,
 			"Allocating a local channel number failed."));
+      return;
     }

   channel = NEW_CHANNEL(self, connection, index, &request);
diff -u -p -r1.59 -r1.59.2.1
--- src/client_keyexchange.c	13 Mar 2002 15:48:46 -0000	1.59
+++ src/client_keyexchange.c	19 Sep 2003 14:37:59 -0000	1.59.2.1
@@ -268,6 +268,7 @@ do_handle_srp_reply(struct packet_handle
     {
       lsh_string_free(salt);
       disconnect_kex_failed(connection, "Bye");
+      return;
     }

   mpz_init(x);
@@ -282,8 +283,11 @@ do_handle_srp_reply(struct packet_handle
   mpz_clear(x);

   if (!response)
-    PROTOCOL_ERROR(connection->e,
-		   "SRP failure: Invalid public value from server.");
+    {
+      PROTOCOL_ERROR(connection->e,
+		     "SRP failure: Invalid public value from server.");
+      return;
+    }

   C_WRITE_NOW(connection, response);

diff -u -p -r1.30 -r1.30.4.1
--- src/read_line.c	4 Aug 2000 00:04:50 -0000	1.30
+++ src/read_line.c	19 Sep 2003 12:22:29 -0000	1.30.4.1
@@ -98,6 +98,8 @@ do_read_line(struct read_handler **h,
       /* Too long line */
       EXCEPTION_RAISE(self->e,
 		      make_protocol_exception(0, "Line too long."));
+
+      return available;
     }

   /* Ok, now we have a line. Copy it into the buffer. */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ