[Full-Disclosure] R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors

From: Michal Zalewski (lcamtuf@ghettot.org)
Date: 12/16/02

From: lcamtuf@ghettot.org (Michal Zalewski)
Date: Mon, 16 Dec 2002 10:56:20 -0800 (PST)

On Mon, 16 Dec 2002, Chad Loder wrote:

> The SSH.com and F-Secure issues are NULL pointer dereferences.

Righty-o :-)

My only point is, while there's a value in doing comprehensive research
like this - since you're testing a number of completely different
implementations, some of them very popular, some rather obscure - you
probably need to be specific just to serve the reader better, and
elliminate the risk of being accused of FUD. Consider Joe Admin who uses
SSH.com and reads your advisory.

There's no indication whatsoever as to the nature of problems spotted in
this particular implementation, so he assumes it suffers of one of the
vulnerability classes listed at the beginning of the advisory - remote
execution or DoS. You list his implementation as vulnerable in an advisory
that talks about those types of vulnerabilities, and later you quote the
vendor saying it is not an issue, with no commentary whatsoever. He is
confused. It takes time to find out.

> In this case, we have not said "This issue is definitely not
> exploitable." Why? Because we haven't had time to run the test suite
> against earlier versions of these products.

Your fault... No, really. An advisory is there to describe what you found.
You might want to suggest there are some other possibilities worth further
research - and you did that, good - but you shouldn't classify an
application as a whole as "confirmed vulnerable" to a specific security
issue based just on that. This is not how people are going to read it.
People are going to read it as "they tested application A and found it's
vulnerable to DoS or remote code execution; vendor denied; what's going

You have one good point, that is in some specific architectures, server
can be crashed by a NULL pointer dereference. But does this application
actually support such architectures? If yes, list specific architectures
on which this application is affected - especially since it is not going
to be affected on the majority of systems around.

I don't want to be a jackass, but I'm simply getting allergic to
advisories that do not help others - this is against the idea of full
disclosure, simple as that. I'm sorry if I am picking on the wrong
company, and once again, I'm not trying to discredit your research.


------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-12-16 10:10 --