Re: OpenSSH Vulnerability

• Previous message: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
• Maybe in reply to: Adam Gilmore: "OpenSSH Vulnerability"
• Next in thread: weigelt_at_metux.de: "Re: OpenSSH Vulnerability"
• Reply: weigelt_at_metux.de: "Re: OpenSSH Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Sep 2003 11:35:21 -0700
To: vuln-dev@securityfocus.com

On Thu, Sep 18, 2003 at 2:57AM, Adam Gilmore wrote:
> The input buffer
> is the one we're hoping to overflow as it's the only one that has a looped
> buffer_append() (which then calls buffer_append_space).
No. At least, you can overflow "compression_buffer". Look at
buffer_uncompress(). The added benefit is you need to send only about 12Kb of
data to crash sshd, not 15MB. In this case, if privilege separation is
enabled,the crash happens in an unprivileged process.
In case of Linux, the trouble is, such a large memory area is allocated via
mmap. It is also the only such large area - therefore there is no mapped
memory after compression_buffer when it overflows. So, sshd crashes in
memcpy() attempting to access non-mapped memory, which is not exploitable.
Perhaps it is possible to force compression_buffer to be allocated on heap
(if previously enough memory was freed), I failed to do so.
It would be easier to exploit out-of-memory condition. But it requires
additional bug to consume all memory on an attacked host. By default, sshd
allows only 10 unauthenticated sessions, so by sshd you can only consume ca
20MBx10=200MB, which is not enough.

peace,
algo

• application/pgp-signature attachment: stored

• Previous message: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
• Maybe in reply to: Adam Gilmore: "OpenSSH Vulnerability"
• Next in thread: weigelt_at_metux.de: "Re: OpenSSH Vulnerability"
• Reply: weigelt_at_metux.de: "Re: OpenSSH Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Re[2]: Stack Overflow ... The NX bits at the hardware level work by marking certain regions of memory ... I agree with what you said about programming languages. ... an array in one of such languages. ... If anything, while memory management itself falls to the OS, overflow ... (Security-Basics) RE: Re[2]: Stack Overflow ... an array in one of such languages. ... better because of the idea that you do not have to keep track of memory so ... If anything, while memory management itself falls to the OS, overflow ... trying to find any one of the insecurities in java applications that exist ... (Security-Basics) Re: Buffer overflow protection ... This can't happen on all modern systems using virtual memory file. ... though I suppose I should check the standard and see how ... it seems likely that an attack exploiting such an overflow ... (comp.lang.cpp) libwmf integer/heap overflow ... libwmf integer/heap overflow ... An integer overflow in memory allocation leads to a heap overflow. ... GNU gdb 6.3-debian ... (Bugtraq) pointer one past malloc.ed memory ... The last byte of malloc.ed memory is written a magic. ... Sorry i had to give some platform specific details. ... Or is it just another case of overflow and we can not blame MIPS ... (comp.lang.c)