Re: [VulnWatch] exploiting the zlib bug in openssh
From: Michal Zalewski (lcamtuf@coredump.cx)Date: 03/12/02
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory FreeBSD-SA-02:15.cyrus-sasl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Mar 2002 12:12:51 -0500 (EST) From: Michal Zalewski <lcamtuf@coredump.cx> To: H D Moore <sflist@digitaloffense.net>
On Tue, 12 Mar 2002, H D Moore wrote:
> I patched the OpenSSH client to send this corrupt zlib buffer after the
> key exchange, the inflate() call on the remote end is returning the
> correct value indicating that the buffer did what it was supposed to
> (Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the
> fatal_cleanup() and inflateEnd() calls. Taking the same buffer and
> sticking it into the inflate() call of another application causes the
> desired SEGV and possible path to exploitability, so why isn't OpenSSH
> crashing?
I think I researached this problem few months ago. I found this condition
while performing fuzz-alike test on zlib, thinking specifically about one
of SSH implementations. The problem with exploiting it in OpenSSH checks
are strict enough to exit almost immediately, after first inflate() call
returns error - while the bug needed second inflate() call or inflateEnd()
call to be exploited (don't remember extactly). One way or another, I
found this not exploitable and gave up on this bug.
-- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory FreeBSD-SA-02:15.cyrus-sasl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
