[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031013122353.GX25932@skywalker.bsws.de>
From: hb-fulldisclosure at bsws.de (Henning Brauer)
Subject: openssh exploit code?
On Mon, Oct 13, 2003 at 12:13:14AM -0700, security snot wrote:
> Can you provide any sort of technical argument as to why this bug is not
> exploitable?
sure. look what happens:
buffer->alloc += len + 32768;
if (buffer->alloc > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
buffer->alloc);
buffer->buf = xrealloc(buffer->buf, buffer->alloc);
the error condition is xrealloc failing.
xrealloc is a wrapper for realloc, which does proper error checking,
and calls fatal() on error.
there is the bug - fatal uses the buffer.
what happens is basically
bzero(buffer->buf, buffer->alloc);
as buffer->alloc is already increased, but buffer->buf is still the
old len, we bzero too much.
now please explain me how this is exploitable.
> Or are you going to simply stand behind the typical OpenBSD
> zealot view and say it can't be exploited, only because there is not
> public "proof of concept" code available?
"I have an exploit but I don't show it", yeah, sure.
we analyzed the bug of course.
don't get me wrong: This is a bug, our action of re-building all
release sets with the fix was absolutely the way to go (even given it
was a major PITA and a _lot_ od work), and this is a
bad bug that should be fixed ASAP, and everybody out there running
sshd should upgrade/patch asap if not done yet.
However, I absolutely fail to see how this should lead to arbitary
code execution on a unix system with a reasonable malloc implementation.
It's a remote DoS.
> ISS' X-Forces claim to have created a working proof-of-concept code for
> the bug. Are you calling those respectable young men and woman liars?
if they claim they have an exploit that leads to arbitary code
execution: yes I do, until we get proof.
I won't answer the rest of your mail which is entirely FUD.
You ask for proof? WHat about YOU proving your statements? Just
claiming something without any proof is nothing but FUD.
> ps: provide an adequate technical discussion against the exploitability of
> this particular bug, and if it proves to be sound I'll release an exploit
> for a different unpublished OpenSSH bug for you guys to write up some
> advisories on! (err, must be FUD:)
please do.
this way it is just FUD.
prove your claims.
--
Henning Brauer, BS Web Services, http://bsws.de
hb@...s.de - henning@...nbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Powered by blists - more mailing lists