ssh-1.2.27 exploit

Subject: ssh-1.2.27 exploit
From: Jarek Kutylowski (jarekkTENET.PL)
Date: Mon Dec 13 1999 - 02:27:05 CST

• Next message: UNYUN: "VDO Live Player 3.02 Buffer Overflow"
• Previous message: Jake Luck: "64bit Sol7 on Ultra1 < 200mhz bug"
• Next in thread: Iván Arce: "Re: ssh-1.2.27 exploit"
• Reply: Iván Arce: "Re: ssh-1.2.27 exploit"
• Reply: Beto: "Re: ssh-1.2.27 exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider
ssh now as quite immune. It is of course possible to crash sshd, but
a real attack is, in my opinion, impossible.

Doing an overflow we must provide a buffer of 136 bytes length (the
input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes
for the EIP). Everything works fine until we reach the RSAPrivateDecrypt
function in rsaref. This function checks the variable input_len, which
is the length of the buffer (in our case it is minimum 136) against
the variable modulus_len, which is 128. When this check fails (and it
does), RSAPrivateDecrypt returns error, causing sshd to fall into
a fatal error.

A solution for this problem would be to overflow the input_len. On my
machine this variable normally gets optimized, so there is no way. Anyway,
when it is written to stack, it is saved much more before input_data,
so it is unaccessible.

If you have any other suggestions, I'd like to hear them.

-- Jarek Kutylowski
  <jarekktcs.uni.wroc.pl>
  <jarekktenet.pl>

Get my PGP public key by running "finger jarekktenet.pl"
or by WWW from "www.tenet.pl/~jarekk/pgp.txt" !!!

• Next message: UNYUN: "VDO Live Player 3.02 Buffer Overflow"
• Previous message: Jake Luck: "64bit Sol7 on Ultra1 < 200mhz bug"
• Next in thread: Iván Arce: "Re: ssh-1.2.27 exploit"
• Reply: Iván Arce: "Re: ssh-1.2.27 exploit"
• Reply: Beto: "Re: ssh-1.2.27 exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Dec 13 1999 - 16:30:01 CST