Re: OpenSSH Vulnerability
From: Ryan Veety (ryan_at_ryanspc.com)
Date: 09/18/03
- Previous message: deepcode .: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Maybe in reply to: Adam Gilmore: "OpenSSH Vulnerability"
- Next in thread: Adam: "Re: OpenSSH Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 18 Sep 2003 16:33:16 -0000 To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <KLEPKILGKHEKNJKBCGLEOEJBCAAA.adam@zeusinternet.net>
>Now, I've been hacking at the 3.6p1 source all day and it comes down to a
>few things. OpenSSH refuses packets > 256kb in size. Also,
>buffer_append_space() will only let you append 1mb of data at a time. It
>needs >10mb allocated to successfully error and null out too much data. So
>that's the big obstacle so far, obercoming the limits.
Turn on ssh packet compression, ssh -C. 10MB of NOP's easily compresses down to < 256KB and causes the fatal() in buffer.c. Thats about as far as I've gotten so far.
Ryan
- Previous message: deepcode .: "Re: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Maybe in reply to: Adam Gilmore: "OpenSSH Vulnerability"
- Next in thread: Adam: "Re: OpenSSH Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
