[19106] in bugtraq
Re: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n_Arce?=)
Fri Feb 9 17:47:18 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <08ee01c092c5$f50daa60$2e58a8c0@ffornicario>
Date: Fri, 9 Feb 2001 16:32:44 -0300
Reply-To: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
From: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
Yet another error in the advisory released last Wednesday.
----- Original Message -----
From: "Iván Arce" <core.lists.bugtraq@core-sdi.com>
Newsgroups: core.lists.bugtraq
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
> CORE SDI
> http://www.core-sdi.com
> SSH protocol 1.5 session key recovery vulnerability
>
>
...
> -------------- cut here ----------------------------------------------
>
> --- rsaglue.c 1999/12/10 23:27:25 1.8
> +++ rsaglue.c 2001/02/03 09:42:05
> @@ -264,7 +268,15 @@
> mpz_clear(&aux);
>
> if (value[0] != 0 || value[1] != 2)
> - fatal("Bad result from rsa_private_decrypt");
> + {
> + static time_t last_kill_time = 0;
> + if (time(NULL) - last_kill_time > 60 && getppid() != 1)
> + {
> + last_kill_time = time(NULL);
> + kill(SIGALRM, getppid());
... This is wrong wrong wrong and will produce unpredictable results
on the server machine and does not fix the vulnerability either.
The correct line is:
+ kill(getppid(),SIGALRM);
Thanks to Matt Power from the Bindview RAZOR Team for
pointing this out.
The advisory at our web page has been updateed to reflect this
change.
-ivan
---
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
Its nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================
--- For a personal reply use iarce@core-sdi.com
