Bugtraq mailing list archives
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Fri, 9 Feb 2001 16:32:44 -0300
Hello, Yet another error in the advisory released last Wednesday. ----- Original Message ----- From: "Iván Arce" <core.lists.bugtraq () core-sdi com> Newsgroups: core.lists.bugtraq To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, February 07, 2001 6:25 PM Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
CORE SDI http://www.core-sdi.com SSH protocol 1.5 session key recovery vulnerability
...
-------------- cut here ---------------------------------------------- --- rsaglue.c 1999/12/10 23:27:25 1.8 +++ rsaglue.c 2001/02/03 09:42:05 @@ -264,7 +268,15 @@ mpz_clear(&aux); if (value[0] != 0 || value[1] != 2) - fatal("Bad result from rsa_private_decrypt"); + { + static time_t last_kill_time = 0; + if (time(NULL) - last_kill_time > 60 && getppid() != 1) + { + last_kill_time = time(NULL); + kill(SIGALRM, getppid());
... This is wrong wrong wrong and will produce unpredictable results on the server machine and does not fix the vulnerability either. The correct line is: + kill(getppid(),SIGALRM); Thanks to Matt Power from the Bindview RAZOR Team for pointing this out. The advisory at our web page has been updateed to reflect this change. -ivan --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAC Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability Iván Arce (Feb 10)
- <Possible follow-ups>
- Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability David Wagner (Feb 10)