Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)

[ncw1 () AXIS DEMON CO UK (Nick Craig-Wood)]

On Tue, Nov 16, 1999 at 08:48:36PM +0100, Jochen Bauer wrote:
> On Tue, Nov 16, 1999 at 11:30:16AM +0100, Oystein Viggen wrote:
> > Does the fact that the international version of ssh from replay.com uses
> > "internal rsaref" instead of the "external rsaref" in the US version make
> > it immune to this attack too?
> >
> > The version is at least not as far as I can see externally linked to any
> > rsaref library:
> [...]
>
> As the buffer overflow is not located in the rsaref library itself, one
> cannot say that a particular version of sshd is vulnerable or not just
> because of the libraries it has been linked with.

I downloaded the rpm source ssh-1.2.27-5i.src.rpm, prepped it and
examined the code.

$ grep -C RSAREF config.h
/* Define to use RSAREF. */
/* #undef RSAREF */

So I would say RSAREF is not set in this rpm so you are safe.

I'd also note that if you compile ssh from soure you have to
specifically enable the RSAREF code which most people wont have done
I'd imagine.

Also note in ssh.c

        case 'V':
#ifdef F_SECURE_COMMERCIAL

#endif /* F_SECURE_COMMERCIAL */
          fprintf(stderr, "SSH Version %s [%s], protocol version %d.%d.\n",
                  SSH_VERSION, HOSTTYPE, PROTOCOL_MAJOR, PROTOCOL_MINOR);
#ifdef RSAREF
          fprintf(stderr, "Compiled with RSAREF.\n");
#else /* RSAREF */
          fprintf(stderr, "Standard version.  Does not use RSAREF.\n");
#endif /* RSAREF */
          exit(0);

and the result of this

$ ssh -V
SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
Standard version.  Does not use RSAREF.

Should give you the definitive answer as to whether RSAREF was defined
or not when ssh (and hopefully sshd) was compiled.

--
Nick Craig-Wood
ncw1 () axis demon co uk
http://www.axis.demon.co.uk/