[Fwd: sshd ioctl bug?]

From: Gabriel A. Maggiotti (gmaggiot@ciudad.com.ar)
Date: 02/22/02 

Date: Fri, 22 Feb 2002 13:08:07 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
To: vuln-dev@securityfocus.com

attached mail follows:

Date: Fri, 22 Feb 2002 13:07:22 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
To: gmaggiot@ciudad.com.ar

"Gabriel A. Maggiotti" wrote:

> ------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> Web: http://qb0x.net Author: Gabriel A. Maggiotti
> Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar
> ---------------------------------------------------------------------------
>
> I have recently found a new bug in sshd deamons, I tested successfully
> this versions:
>
> - SSH-1.99-OpenSSH_2.1.1
> - SSH-1.99-OpenSSH_2.9p2
> - SSH-1.99-OpenSSH_3.0p1
>
> If you send a langer string occurs this:
>
> perl -e 'printf "A"x111100' >a
> telnet host 22 < a
>
> <quote>
> Escape character is '^]'.
> SSH-1.99-OpenSSH_2.9p2
> pluto.net: Inappropriate ioctl for device
> Protocol mismatch.
> Connection closed by foreign host.
> </quote>
>
> I tested and if the string is smaller than 16384 nothing occurs, see:
>
> <quote>
>
> [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a
> [root@pluto openssh-2.9p2]# telnet pluto 22 <a
> Trying 192.168.0.2...
> Connected to pluto.net.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_2.9p2
> pluto.net: Inappropriate ioctl for device
> Protocol mismatch.
>
> </quote>
>
> and if is just 16384...
>
> <quote>
>
> [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a
> [root@pluto openssh-2.9p2]# telnet pluto 22 <a
> Trying 192.168.0.2...
> Connected to pluto.net.
> Escape character is '^]'.
> pluto.net: Inappropriate ioctl for device
> SSH-1.99-OpenSSH_2.9p2
> Protocol mismatch.
> Connection closed by foreign host.
>
> </quote>
>
> Is this a real security problem?
>
> ---------------------------------------------------------------------------
> research-listi@qb0x.net is dedicated to interactively researching vulnerab-
> ilities, report potential or undeveloped holes in any kind of computer system.
> To subscribe to research-list@qb0x.ne t send a blank email to
> research-list-subscribe@qb0x.net. More help available sending an email
> to research-list-help@qb0x.net.
> Note: the list doesn't allow html, it will be stripped from messages.
> ---------------------------------------------------------------------------

I make a big mistake, the ioctl error wasn't sshd error, the telnet client do
it. I prove it with nc and nothing occurs, sorry .