Re: openssh exploit code?

[Henning Brauer <hb-fulldisclosure () bsws de>]

On Mon, Oct 13, 2003 at 12:13:14AM -0700, security snot wrote:
> Can you provide any sort of technical argument as to why this bug is not
> exploitable?

sure. look what happens:

        buffer->alloc += len + 32768;
        if (buffer->alloc > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
                    buffer->alloc);
        buffer->buf = xrealloc(buffer->buf, buffer->alloc);

the error condition is xrealloc failing.
xrealloc is a wrapper for realloc, which does proper error checking, 
and calls fatal() on error.
there is the bug - fatal uses the buffer.
what happens is basically
        bzero(buffer->buf, buffer->alloc);
as buffer->alloc is already increased, but buffer->buf is still the 
old len, we bzero too much.
now please explain me how this is exploitable.

> Or are you going to simply stand behind the typical OpenBSD
> zealot view and say it can't be exploited, only because there is not
> public "proof of concept" code available?

"I have an exploit but I don't show it", yeah, sure.

we analyzed the bug of course.

don't get me wrong: This is a bug, our action of re-building all 
release sets with the fix was absolutely the way to go (even given it 
was a major PITA and a _lot_ od work), and this is a 
bad bug that should be fixed ASAP, and everybody out there running 
sshd should upgrade/patch asap if not done yet.

However, I absolutely fail to see how this should lead to arbitary 
code execution on a unix system with a reasonable malloc implementation.
It's a remote DoS.

> ISS' X-Forces claim to have created a working proof-of-concept code for
> the bug.  Are you calling those respectable young men and woman liars?

if they claim they have an exploit that leads to arbitary code 
execution: yes I do, until we get proof.

I won't answer the rest of your mail which is entirely FUD.

You ask for proof? WHat about YOU proving your statements? Just 
claiming something without any proof is nothing but FUD.

> ps: provide an adequate technical discussion against the exploitability of
> this particular bug, and if it proves to be sound I'll release an exploit
> for a different unpublished OpenSSH bug for you guys to write up some
> advisories on!  (err, must be FUD:)

please do.
this way it is just FUD.
prove your claims.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb () bsws de - henning () openbsd org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html