Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Fri, 9 Feb 2001 16:32:44 -0300
Hello,

Yet another error in the advisory released last Wednesday.

----- Original Message -----
From: "Iván Arce" <core.lists.bugtraq () core-sdi com>
Newsgroups: core.lists.bugtraq
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability



                                  CORE SDI
                            http://www.core-sdi.com
                SSH protocol 1.5 session key recovery vulnerability




...

-------------- cut here ----------------------------------------------

--- rsaglue.c   1999/12/10 23:27:25     1.8
+++ rsaglue.c   2001/02/03 09:42:05
@@ -264,7 +268,15 @@
   mpz_clear(&aux);

   if (value[0] != 0 || value[1] != 2)
-    fatal("Bad result from rsa_private_decrypt");
+    {
+      static time_t last_kill_time = 0;
+      if (time(NULL) - last_kill_time > 60 && getppid() != 1)
+       {
+         last_kill_time = time(NULL);
+         kill(SIGALRM, getppid());


... This is wrong wrong wrong and will produce unpredictable results
    on the server machine and does not fix the vulnerability either.
   The correct line is:

+         kill(getppid(),SIGALRM);

Thanks to Matt Power from the Bindview RAZOR Team for
pointing this out.

The advisory at our web page has been updateed to reflect this
change.


-ivan


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================


--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: