oss-sec mailing list archives
Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)
From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 23 Feb 2023 14:59:32 +0000
Hi Demi, On Wed, Feb 22, 2023 at 10:17:19AM -0500, Demi Marie Obenour wrote:
Is it possible to use this information leak to bypass ASLR without crashing the process?
Unfortunately, no: sshd calls _exit() immediately after this information leak, and fork()s + re-execv()s itself (and therefore re-randomizes its address space) the next time we connect to it; i.e., a memory address leaked in one connection is useless in another connection.
Also, is this flaw expected to be exploitable for code execution on GNU/Linux?
We are focusing on OpenBSD for now, because its malloc seems more compatible with this particular double-free bug than glibc's malloc; we will look into glibc/Linux at some point, and will keep you posted. Thank you very much! With best regards, -- the Qualys Security Advisory team
Current thread:
- double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Georgi Guninski (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Matthias Schmidt (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 13)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 21)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Demi Marie Obenour (Feb 22)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 23)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 21)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Georgi Guninski (Mar 06)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Mar 09)
- Re: double-free vulnerability in OpenSSH server 9.1 Georgi Guninski (Feb 02)