[UNIX] Dropbear SSH Server svr_ses.childpidsize Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 21 Dec 2005 16:58:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Dropbear SSH Server svr_ses.childpidsize Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://matt.ucc.asn.au/dropbear/dropbear.html> Dropbear SSH Server is "a
small Secure Shell server suitable for embedded environments. It
implements various features of the SSH 2 protocol, including X11 and
Authentication agent forwarding".
A buffer overflow vulnerability in Dropbear SSH Server allows remote code
execution.
DETAILS
Vulnerable Systems:
* Dropbear SSH Server versions prior to 0.47
Immune Systems:
* Dropbear SSH Server version 0.47 (download
<http://matt.ucc.asn.au/dropbear/dropbear-0.47.tar.bz2> here)
Fix for buffer allocation error in server code, could potentially allow
authenticated users to gain elevated privileges. All multi-user systems
running the server should upgrade or apply the patch.
Fix:
--- svr-chansession.c
+++ svr-chansession.c
@@ -810,7 +810,7 @@
/* need to increase size */
if (i == svr_ses.childpidsize) {
svr_ses.childpids = (struct
ChildPid*)m_realloc(svr_ses.childpids,
- sizeof(struct ChildPid) * svr_ses.childpidsize+1);
+ sizeof(struct ChildPid) * (svr_ses.childpidsize+1));
svr_ses.childpidsize++;
}
ADDITIONAL INFORMATION
The original article can be found at:
<http://matt.ucc.asn.au/dropbear/dropbear.html>
http://matt.ucc.asn.au/dropbear/dropbear.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Google.com UTF-7 XSS Vulnerabilities
- Next by Date: [NT] Internet Explorer Multiple Download Dialog Vulnerabilities (MS05-054)
- Previous by thread: [NEWS] Google.com UTF-7 XSS Vulnerabilities
- Next by thread: [NT] Internet Explorer Multiple Download Dialog Vulnerabilities (MS05-054)
- Index(es):
Relevant Pages
- [UNIX] Dropbear SSH Server Format String Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remotely exploitable format
string vulnerability exists in the default ... configuration of the Dropbear SSH Server
up until version 0.35, ... will fail before the vulnerable code is executed, but the methodname
may ... (Securiteam) - [EXPL] SHTTPD POST Remote Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SHTTPD POST Remote Buffer Overflow
... A buffer overflow vulnerability exists in SHTTPD. ... In no event shall we be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages. ... (Securiteam) - [NT] Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... module that offers support for
ZIP compressed folders in the Windows ... An exploitable buffer overflow occurs
when a user opens a ZIP ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [NT] GXT Editor Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... GXT Editor is a program
that allow you to edit localization files for GTA ... A buffer overflow vulnerability occurs
when a string with length of 5870 ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [NT] Total Commander Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Total Commander is a file
manager for Windows, ... Total Commander is vulnerable to a buffer overflow when opening
malformed ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam)
