lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <A558B62880684F9B8AEDACB6FD865440@KingcopePC>
Date: Tue, 15 May 2007 05:46:54 +0200
From: "Kingcope" <kingcope@....net>
To: <full-disclosure@...ts.grok.org.uk>
Subject: ssh.com ssh-3.2.9.1 sftp server remote off by one

ssh.com ssh-3.2.9.1 sftp server remote off by one

***ATTENTION***This has not been tested under reallife conditions***

ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads

/*
 * char *ssh_realpath(const char *path, char resolved_path[MAXPATHLEN]);
 *
 * Find the real name of path, by removing all ".", ".." and symlink
 * components.  Returns (resolved) on success, or (NULL) on failure,
 * in which case the path which caused trouble is left in (resolved).
 *
 */
char *ssh_realpath(const char *path, char *resolved)
{
  struct stat sb;
  int n, rootd, serrno;
...
...
...
...
...
/*
   * Join the two strings together, ensuring that the right thing
   * happens if the last component is empty, or the dirname is root.
   */
  if (resolved[0] == '/' && resolved[1] == '\0')
    rootd = 1;
  else
    rootd = 0;

  if (*wbuf)
    {
      if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) // 
<----- !rootd
        {
          errno = ENAMETOOLONG;
          goto err1;
        }
      if (rootd == 0)
        (void)strcat(resolved, "/"); /* XXX: strcat is safe */
      (void)strcat(resolved, wbuf);     /* XXX: strcat is safe */
    }
...
...
...
...
...

ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :

---snip---
case SSH_FXP_REALPATH:
      LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));

      /* Parse the REALPATH message. */
      if (ssh_decode_array(data, len,
                           SSH_FORMAT_UINT32, &id,
                           SSH_FORMAT_UINT32_STR, &name, NULL,
                           SSH_FORMAT_END) != len || len == 0)
        {
          ssh_warning("ssh_file_server_receive_proc: bad REALPATH");
          goto return_bad_status;
        }

      LOG(0, SSH_LOG_INFORMATIONAL, ("Resolving path to `%s'", name));

      if (ssh_realpath(name, resolved) == NULL)
        {
---snip---

old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.


big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard

Signed,
Kingcope kingcope[at]gmx.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ