Full Disclosure mailing list archives

Re: openssh remote exploit

From: Darren Reed <avalon () caligula anu edu au>
Date: Tue, 16 Sep 2003 11:47:39 +1000 (Australia/ACT)

In some mail from auto64746 () hushmail com, sie said:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

you can see the 2 bugs in this code?, seems to of me that theo could
not. i am of understanding that there are exploits working on this in
the wild. 3 remote holes in default install now !


Well, I can see at least one bug but it's not security related:

If "Buffer->alloc == X" (but offset == end == 0) and "len == X" then
it allocates an extra "X + 32k" bytes rather than filling the existing
buffer exactly.  That, however wasteful, may be part of the design as
it is hard to judge it alone like that.

Maybe if you can see others you'll highlight them ?

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

openssh remote exploit auto64746 (Sep 15)
- Re: openssh remote exploit Darren Reed (Sep 15)
- Re: openssh remote exploit Timo Sirainen (Sep 16)
- Re: openssh remote exploit Adam Dyga (Sep 17)
- <Possible follow-ups>
- Re: openssh remote exploit auto64746 (Sep 16)
  - Re: openssh remote exploit Diode Trnasistor (Sep 16)
  - Re: openssh remote exploit Darren Reed (Sep 16)
    - RE: openssh remote exploit Edward W. Ray (Sep 16)
    - Re: openssh remote exploit Darren Reed (Sep 16)
    - Re: openssh remote exploit Mike Griffin (Sep 16)
    - Re: openssh remote exploit KF (Sep 16)
    - Re: openssh remote exploit Henning Brauer (Sep 16)

(Thread continues...)