[5187] in bugtraq
Re: More ssh fun (sshd this time)
daemon@ATHENA.MIT.EDU (Wietse Venema)
Tue Aug 26 17:36:25 1997
Date: Mon, 25 Aug 1997 18:48:33 -0400
Reply-To: Wietse Venema <wietse@WZV.WIN.TUE.NL>
From: Wietse Venema <wietse@WZV.WIN.TUE.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199708191234.OAA01247@zero.xs4all.nl> from Ivo van der Wijk at
"Aug 19, 97 02:34:20 pm"
[Reposted. The previous copy disappeared after being forwarded by
the listserv -- Wietse]
Ivo van der Wijk:
> - This could also be considered a bug in bind(), because it doesn't wrap
> portnumbers > 65536, but still, it makes sshd vurnerable, at least on Linux
> (2.0.29), Solaris 2.4 and SunOs 4.1.4
Actually, the port number passed to bind() is a 16-bit quantity
(the sin_port member of a struct sockaddr_in).
The fix would be to compare nthos(foo.sin_port) with IPPORT_RESERVED.
By sheer dumb luck, this is exactly what I did in my hacked FTP daemon.
Wietse
