Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some revelations about ssh and stackpatch

From: flaps () DGP TORONTO EDU (Alan J Rosenthal)
Date: Tue, 3 Nov 1998 16:20:15 -0500


Look at this pice of sshd code:

...

 log_msg("RESTART FAILED: av[0]='%s', error: %s.",
      saved_argv[0], strerror(errno));

...

As we read in IBM advisory log_msg just uses vsprintf to copy parsed data
to fixed 1024 bytes leght buffer.
So I tryed:
execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0);


To sighup an sshd running as root, you need to be root already.
Your execl will not invoke sshd with any privileges you don't already have
from your own account.  Unless someone stupidly made sshd setuid root
(different than ssh, which arguably *should* be setuid root).

On the other hand, if sshd is run in the first place with an argv[0] of
length 2000, then you might be able to get somewhere.  But I seriously doubt
that /etc/rc.local or /etc/init.d/sshd or whatever is written to do this on
your system.

Buffer overflow bugs don't, in general, lead to exploits.  They only do if
the program in which you can induce an appropriate buffer overflow is running
with a privilege greater than you already possess.  Usually this is because
it's a process on a machine on which you don't have an account (e.g. network
services), a process already running as root, or a program which is setuid
root.  If you can invoke a program only with a privilege you already have, you
won't gain anything by making it execute code of your own choosing.  You could
have run your code (that which you run via a buffer overflow) directly.


On another ssh matter in the same message,


Over two moths ago I found that ssh uses argv[0] (if different than ssh)
as a hostname. (Nothing relevant huh? ;)
1st question: is it good?


In my opinion, it's stupid, BUT:


2nd question: is it normal?


Rlogin and rsh do this, so to be a drop-in replacement for rlogin/rsh,
ssh has to do this too, arguably.

(Incidentally, slogin is also an exception to treating argv[0] as the
hostname, as are rsh and rlogin in case you've named it that for
drop-in-replacement reasons, and so is remsh even (the name the SysV people
originally gave to bsd rsh because rsh already meant restricted shell in SysV).)
Previous By Date Next
Previous By Thread Next

Current thread: