Bugtraq mailing list archives
Some revelations about ssh and stackpatch
From: woloszyn () IT PL (M.C.Mar)
Date: Mon, 2 Nov 1998 16:55:57 +0100
Hi! Over two moths ago I found that ssh uses argv[0] (if different than ssh) as a hostname. (Nothing relevant huh? ;) 1st question: is it good? 2nd question: is it normal? Look at this pice of sshd code: void sighup_restart(void) { log_msg("Received SIGHUP; restarting."); close(listen_sock); execvp(saved_argv[0], saved_argv); log_msg("RESTART FAILED: av[0]='%s', error: %s.", saved_argv[0], strerror(errno)); exit(1); } Seems sshd does something similar. Cool, huh? As we read in IBM advisory log_msg just uses vsprintf to copy parsed data to fixed 1024 bytes leght buffer. So I tryed: execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0); 'Cos I have stackpatch applied I saw something very strange in my logs: Nov 2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Server listening on port 22. Nov 2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Generating 768 bit RSA key. Nov 2 16:29:53 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: RSA key generation complete. I did it as mcmar user so I tryed to log on as mcmar: Nov 2 16:36:46 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Connection from 127.0.0.1 port 1016 Nov 2 16:36:47 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Password authentication for mcmar accepted. And it did work. Nov 2 16:36:54 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Closing connection to 127.0.0.1 So I logged out :) 'Cos sshd does not segfault I'm not shure what happened, but I see thet there was "BUFFER OVERRUN ATTEMPT". Also I have no Idea WHEN my argv[0] has changed, same sending sighup does nothing more than this: Nov 2 16:45:04 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Received SIGHUP; restarting I know that lookin' fer remote sshd exploit is much more fascinating, but I'm lookin' for something else... -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi () it pl "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
Current thread:
- Some revelations about ssh and stackpatch M.C.Mar (Nov 02)
- Re: Some revelations about ssh and stackpatch Pavel Kankovsky (Nov 03)
- <Possible follow-ups>
- Re: Some revelations about ssh and stackpatch Alan J Rosenthal (Nov 03)
- Re: Some revelations about ssh and stackpatch Andy Church (Nov 04)