Re: [VulnWatch] exploiting the zlib bug in openssh

[Michal Zalewski <lcamtuf () coredump cx>]

On Tue, 12 Mar 2002, H D Moore wrote:

> I patched the OpenSSH client to send this corrupt zlib buffer after the
> key exchange, the inflate() call on the remote end is returning the
> correct value indicating that the buffer did what it was supposed to
> (Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the
> fatal_cleanup() and inflateEnd()  calls.  Taking the same buffer and
> sticking it into the inflate() call of another application causes the
> desired SEGV and possible path to exploitability, so why isn't OpenSSH
> crashing?

I think I researached this problem few months ago. I found this condition
while performing fuzz-alike test on zlib, thinking specifically about one
of SSH implementations. The problem with exploiting it in OpenSSH checks
are strict enough to exit almost immediately, after first inflate() call
returns error - while the bug needed second inflate() call or inflateEnd()
call to be exploited (don't remember extactly). One way or another, I
found this not exploitable and gave up on this bug.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/