[12949] in bugtraq
ssh-1.2.27 exploit
daemon@ATHENA.MIT.EDU (Jarek Kutylowski)
Mon Dec 13 17:17:37 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.9912130919050.1146-100000@main.tenet.pl>
Date: Mon, 13 Dec 1999 09:27:05 +0100
Reply-To: Jarek Kutylowski <jarekk@TENET.PL>
From: Jarek Kutylowski <jarekk@TENET.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider
ssh now as quite immune. It is of course possible to crash sshd, but
a real attack is, in my opinion, impossible.
Doing an overflow we must provide a buffer of 136 bytes length (the
input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes
for the EIP). Everything works fine until we reach the RSAPrivateDecrypt
function in rsaref. This function checks the variable input_len, which
is the length of the buffer (in our case it is minimum 136) against
the variable modulus_len, which is 128. When this check fails (and it
does), RSAPrivateDecrypt returns error, causing sshd to fall into
a fatal error.
A solution for this problem would be to overflow the input_len. On my
machine this variable normally gets optimized, so there is no way. Anyway,
when it is written to stack, it is saved much more before input_data,
so it is unaccessible.
If you have any other suggestions, I'd like to hear them.
-- Jarek Kutylowski
<jarekk@tcs.uni.wroc.pl>
<jarekk@tenet.pl>
Get my PGP public key by running "finger jarekk@tenet.pl"
or by WWW from "www.tenet.pl/~jarekk/pgp.txt" !!!
