Dropbear SSH server use-after-free vulnerability



Dropbear SSH server use-after-free vulnerability

Impact: A remote authenticated user can execute arbitrary code on the
target system.
Class: Use After Free - CWE-416
CVE ID: CVE-2012-0920
CVSS: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)

Description:
This vulnerability is located within the Dropbear daemon and occurs due
to the way the server manages channels concurrency. A specially crafted
request can trigger a `use after free` condition which can be used to
execute arbitrary code under root privileges provided the user has been
authenticated using a public key (authorized_keys file) and a command
restriction is enforced (command option).

Solution: Upgrade to version 2012.55 or higher.

Reference: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749

Disclosure Timeline:
2012-01-24 - Vulnerability reported to vendor.
2012-02-24 - Coordinated public release of advisory.

Credit:
This vulnerability was discovered by Danny Fullerton from Mantor
Organization.
Special thanks to Matt.



Relevant Pages

  • [Full-disclosure] Dropbear SSH server use-after-free vulnerability
    ... Dropbear SSH server use-after-free vulnerability ... A remote authenticated user can execute arbitrary code on the ... This vulnerability is located within the Dropbear daemon and occurs due ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #325
    ... MICROSOFT VULNERABILITY SUMMARY ... Outpost Firewall PRO Local Privilege Escalation Vulnerability ... BolinTech Dream FTP Server USER Remote Buffer Overflow Vulnerability ... An attacker can exploit this issue to cause the affected server to crash and may be able to execute arbitrary code in the context of the process. ...
    (Focus-Microsoft)
  • [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
    ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Bugtraq)
  • [Full-Disclosure] [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
    ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Full-Disclosure)
  • [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
    ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Full-Disclosure)