[12656] in bugtraq
Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)
daemon@ATHENA.MIT.EDU (Nick Craig-Wood)
Fri Nov 19 17:20:35 1999
Mail-Followup-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991118224458.D2535@axis.demon.co.uk>
Date: Thu, 18 Nov 1999 22:44:58 +0000
Reply-To: Nick Craig-Wood <ncw1@AXIS.DEMON.CO.UK>
From: Nick Craig-Wood <ncw1@AXIS.DEMON.CO.UK>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991116204836.A16269@luna.theo2.physik.uni-stuttgart.de>
On Tue, Nov 16, 1999 at 08:48:36PM +0100, Jochen Bauer wrote:
> On Tue, Nov 16, 1999 at 11:30:16AM +0100, Oystein Viggen wrote:
> > Does the fact that the international version of ssh from replay.com uses
> > "internal rsaref" instead of the "external rsaref" in the US version make
> > it immune to this attack too?
> >
> > The version is at least not as far as I can see externally linked to any
> > rsaref library:
> [...]
>
> As the buffer overflow is not located in the rsaref library itself, one
> cannot say that a particular version of sshd is vulnerable or not just
> because of the libraries it has been linked with.
I downloaded the rpm source ssh-1.2.27-5i.src.rpm, prepped it and
examined the code.
$ grep -C RSAREF config.h
/* Define to use RSAREF. */
/* #undef RSAREF */
So I would say RSAREF is not set in this rpm so you are safe.
I'd also note that if you compile ssh from soure you have to
specifically enable the RSAREF code which most people wont have done
I'd imagine.
Also note in ssh.c
case 'V':
#ifdef F_SECURE_COMMERCIAL
#endif /* F_SECURE_COMMERCIAL */
fprintf(stderr, "SSH Version %s [%s], protocol version %d.%d.\n",
SSH_VERSION, HOSTTYPE, PROTOCOL_MAJOR, PROTOCOL_MINOR);
#ifdef RSAREF
fprintf(stderr, "Compiled with RSAREF.\n");
#else /* RSAREF */
fprintf(stderr, "Standard version. Does not use RSAREF.\n");
#endif /* RSAREF */
exit(0);
and the result of this
$ ssh -V
SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
Should give you the definitive answer as to whether RSAREF was defined
or not when ssh (and hopefully sshd) was compiled.
--
Nick Craig-Wood
ncw1@axis.demon.co.uk
http://www.axis.demon.co.uk/
