lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031013122353.GX25932@skywalker.bsws.de>
From: hb-fulldisclosure at bsws.de (Henning Brauer)
Subject: openssh exploit code?

On Mon, Oct 13, 2003 at 12:13:14AM -0700, security snot wrote:
> Can you provide any sort of technical argument as to why this bug is not
> exploitable?

sure. look what happens:

	buffer->alloc += len + 32768;
	if (buffer->alloc > 0xa00000)
		fatal("buffer_append_space: alloc %u not supported",
		    buffer->alloc);
	buffer->buf = xrealloc(buffer->buf, buffer->alloc);

the error condition is xrealloc failing.
xrealloc is a wrapper for realloc, which does proper error checking, 
and calls fatal() on error.
there is the bug - fatal uses the buffer.
what happens is basically
	bzero(buffer->buf, buffer->alloc);
as buffer->alloc is already increased, but buffer->buf is still the 
old len, we bzero too much.
now please explain me how this is exploitable.

> Or are you going to simply stand behind the typical OpenBSD
> zealot view and say it can't be exploited, only because there is not
> public "proof of concept" code available?

"I have an exploit but I don't show it", yeah, sure.

we analyzed the bug of course.

don't get me wrong: This is a bug, our action of re-building all 
release sets with the fix was absolutely the way to go (even given it 
was a major PITA and a _lot_ od work), and this is a 
bad bug that should be fixed ASAP, and everybody out there running 
sshd should upgrade/patch asap if not done yet.

However, I absolutely fail to see how this should lead to arbitary 
code execution on a unix system with a reasonable malloc implementation.
It's a remote DoS.

> ISS' X-Forces claim to have created a working proof-of-concept code for
> the bug.  Are you calling those respectable young men and woman liars?

if they claim they have an exploit that leads to arbitary code 
execution: yes I do, until we get proof.

I won't answer the rest of your mail which is entirely FUD.

You ask for proof? WHat about YOU proving your statements? Just 
claiming something without any proof is nothing but FUD.

> ps: provide an adequate technical discussion against the exploitability of
> this particular bug, and if it proves to be sound I'll release an exploit
> for a different unpublished OpenSSH bug for you guys to write up some
> advisories on!  (err, must be FUD:)

please do.
this way it is just FUD.
prove your claims.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@...s.de - henning@...nbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ