[EXPL] Exploiting the Zlib Bug in OpenSSH
From: support@securiteam.comDate: 03/23/02
- Previous message: support@securiteam.com: "[UNIX] Bypassing Libsafe Format String Protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 23 Mar 2002 18:57:53 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Exploiting the Zlib Bug in OpenSSH
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/securitynews/5GP0C0K6KS.html> Double Free Bug
in Zlib Compression Library, a security vulnerability in Zlib allows
attackers to cause the program to incorrectly double free a memory section
causing a denial of service attack. The following is an example of an
exploit that can be used against OpenSSH.
DETAILS
A bug was found in the Zlib compression library which causes inflateEnd()
to incorrectly free the same chunk of memory twice when given a deformed
chunk of compressed data. A PNG image was discovered which triggers this
flaw (it is linked below).
OpenSSH uses the Zlib library to compress data when the -C option is
passed to it. With version 2 of the protocol, it is possible to send
compressed/encrypted messages to the remote daemon before having to
authenticate (just after key exchange). This is done using SSH2_MSG_IGNORE
packets in the kex2() function of sshconnect2.c.
The attached patch to libpng-1.2.1 causes pngtest to dump out the contents
of the buffer it passes to inflate(). This is used with the attached PNG
file to obtain the buffer the OpenSSH client needs to send. The buffer
size has been tweaked in libpng to match the one used in OpenSSH-3.1p1
(4096 bytes). The pngtest program will SEGV after dumping out this buffer
from the PNG file.
The below exploit patches the OpenSSH client to send this corrupt Zlib
buffer after the key exchange, the inflate() call on the remote end is
returning the correct value indicating that the buffer did what it was
supposed to (Z_MEM_ERR or -4).
The attached patch applies to OpenSSH-3.1p1, if you run the daemon code it
will spit out the received buffer (to make sure it made it across ok) and
some other debugging information. The recommended command line to test
this:
# ./sshd -d -d -d
# ./ssh -2 -C -v -v -v root@127.0.0.1
The exploit code and required files can be downloaded from:
<http://www.digitaloffense.net/openssh_zlib/>
http://www.digitaloffense.net/openssh_zlib/
ADDITIONAL INFORMATION
The information has been provided by <mailto:sflist@digitaloffense.net> H
D Moore.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Bypassing Libsafe Format String Protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
