Bugtraq mailing list archives
Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)
From: ncw1 () AXIS DEMON CO UK (Nick Craig-Wood)
Date: Thu, 18 Nov 1999 22:44:58 +0000
On Tue, Nov 16, 1999 at 08:48:36PM +0100, Jochen Bauer wrote:
On Tue, Nov 16, 1999 at 11:30:16AM +0100, Oystein Viggen wrote:Does the fact that the international version of ssh from replay.com uses "internal rsaref" instead of the "external rsaref" in the US version make it immune to this attack too? The version is at least not as far as I can see externally linked to any rsaref library:[...] As the buffer overflow is not located in the rsaref library itself, one cannot say that a particular version of sshd is vulnerable or not just because of the libraries it has been linked with.
I downloaded the rpm source ssh-1.2.27-5i.src.rpm, prepped it and examined the code. $ grep -C RSAREF config.h /* Define to use RSAREF. */ /* #undef RSAREF */ So I would say RSAREF is not set in this rpm so you are safe. I'd also note that if you compile ssh from soure you have to specifically enable the RSAREF code which most people wont have done I'd imagine. Also note in ssh.c case 'V': #ifdef F_SECURE_COMMERCIAL #endif /* F_SECURE_COMMERCIAL */ fprintf(stderr, "SSH Version %s [%s], protocol version %d.%d.\n", SSH_VERSION, HOSTTYPE, PROTOCOL_MAJOR, PROTOCOL_MINOR); #ifdef RSAREF fprintf(stderr, "Compiled with RSAREF.\n"); #else /* RSAREF */ fprintf(stderr, "Standard version. Does not use RSAREF.\n"); #endif /* RSAREF */ exit(0); and the result of this $ ssh -V SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. Should give you the definitive answer as to whether RSAREF was defined or not when ssh (and hopefully sshd) was compiled. -- Nick Craig-Wood ncw1 () axis demon co uk http://www.axis.demon.co.uk/
Current thread:
- ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Blue Boar (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Szilveszter Adam (Nov 14)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Brian Fundakowski Feldman (Nov 14)
- BIND 8.2.2-P5 release announcement Roger Fajman (Nov 13)
- <Possible follow-ups>
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Oystein Viggen (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Daniel Jacobowitz (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Jochen Bauer (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Nick Craig-Wood (Nov 18)
- ProFTPd - mod_sqlpw.c Todd C. Campbell (Nov 19)
- Pandora v4 Beta 2 Software Simple Nomad (Nov 19)
- Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Ussr Labs (Nov 16)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Seth R Arnold (Nov 17)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Marc (Nov 17)
- SuSE Security Announcement - syslogd (a1) Thomas Biege (Nov 18)
- local users can panic linux kernel (was: SuSE syslogd advisory) Mixter (Nov 18)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Alan Cox (Nov 19)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Savochkin Andrey Vladimirovich (Nov 20)
- ANN: Bruce v1.0 Early Access 1 - Available for downloa Alec Muffett (Nov 22)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)