Full Disclosure mailing list archives
Re: openssh exploit code?
From: Henning Brauer <hb-fulldisclosure () bsws de>
Date: Mon, 13 Oct 2003 14:23:53 +0200
On Mon, Oct 13, 2003 at 12:13:14AM -0700, security snot wrote:
Can you provide any sort of technical argument as to why this bug is not exploitable?
sure. look what happens: buffer->alloc += len + 32768; if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", buffer->alloc); buffer->buf = xrealloc(buffer->buf, buffer->alloc); the error condition is xrealloc failing. xrealloc is a wrapper for realloc, which does proper error checking, and calls fatal() on error. there is the bug - fatal uses the buffer. what happens is basically bzero(buffer->buf, buffer->alloc); as buffer->alloc is already increased, but buffer->buf is still the old len, we bzero too much. now please explain me how this is exploitable.
Or are you going to simply stand behind the typical OpenBSD zealot view and say it can't be exploited, only because there is not public "proof of concept" code available?
"I have an exploit but I don't show it", yeah, sure. we analyzed the bug of course. don't get me wrong: This is a bug, our action of re-building all release sets with the fix was absolutely the way to go (even given it was a major PITA and a _lot_ od work), and this is a bad bug that should be fixed ASAP, and everybody out there running sshd should upgrade/patch asap if not done yet. However, I absolutely fail to see how this should lead to arbitary code execution on a unix system with a reasonable malloc implementation. It's a remote DoS.
ISS' X-Forces claim to have created a working proof-of-concept code for the bug. Are you calling those respectable young men and woman liars?
if they claim they have an exploit that leads to arbitary code execution: yes I do, until we get proof. I won't answer the rest of your mail which is entirely FUD. You ask for proof? WHat about YOU proving your statements? Just claiming something without any proof is nothing but FUD.
ps: provide an adequate technical discussion against the exploitability of this particular bug, and if it proves to be sound I'll release an exploit for a different unpublished OpenSSH bug for you guys to write up some advisories on! (err, must be FUD:)
please do. this way it is just FUD. prove your claims. -- Henning Brauer, BS Web Services, http://bsws.de hb () bsws de - henning () openbsd org Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- openssh exploit code? S . f . Stover (Oct 11)
- Re: openssh exploit code? Henning Brauer (Oct 11)
- Re: openssh exploit code? S . f . Stover (Oct 11)
- Re: openssh exploit code? security snot (Oct 13)
- Re: openssh exploit code? Henning Brauer (Oct 13)
- Re: openssh exploit code? security snot (Oct 13)
- Re: openssh exploit code? Henning Brauer (Oct 13)
- Re: openssh exploit code? Daniel (Oct 13)
- Re: openssh exploit code? Henning Brauer (Oct 11)
- Re: openssh exploit code? Peter Busser (Oct 13)
- Re: openssh exploit code? Ted Unangst (Oct 13)
- Re: openssh exploit code? Henning Brauer (Oct 13)
- Re: openssh exploit code? Shawn McMahon (Oct 13)
- Re: openssh exploit code? S . f . Stover (Oct 19)
- <Possible follow-ups>
- re: openssh exploit code? mitch_hurrison (Oct 20)
- Re: re: openssh exploit code? S . f . Stover (Oct 20)