Re: openssh vulnerability
From: Przemyslaw Frasunek (venglin_at_freebsd.lublin.pl)
Date: 09/16/03
- Previous message: Vade 79: "[PAPER]: Integer array overflows."
- In reply to: Diode Trnasistor: "openssh vulnerability"
- Next in thread: Robert A. Seace: "Re: openssh vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Sep 2003 21:19:05 +0200 To: Diode Trnasistor <ffddfe@yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Diode Trnasistor wrote:
> Is anyone familiar with what happens when you use
> realloc like they are using originally (when using a
> value instead the structure to reallocate as the
> second value to realloc). I still fail to see how
> this is a security problem, and would like it if
> someone would explain it to me. Thanx :)
If buffer->alloc is too large, fatal() is called. In some cases, it will
attempt to buffer_free() such corrupted buffer causing memset() to overflow
it with NULL bytes in rather uncontrolled manner.
Actually, I can't think of any exploiting scenario, especially on systems
using phkmalloc.
- --
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** keyId: 2578FCAD | C0613BE3 | EC78FAB5 *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/Z2IpkxEnBiV4/K0RAhdIAJ9zWudCeU8ZzgJODa6dHdjAdp0LLwCgw31D
ynXB9PDdSUPxaOvkacpfNuE=
=BEjm
-----END PGP SIGNATURE-----
- Previous message: Vade 79: "[PAPER]: Integer array overflows."
- In reply to: Diode Trnasistor: "openssh vulnerability"
- Next in thread: Robert A. Seace: "Re: openssh vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
