Hello,

Yet another error in the advisory released last Wednesday.

----- Original Message -----
From: "Iván Arce" <core.lists.bugtraqcore-sdi.com>
Newsgroups: core.lists.bugtraq
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability

> CORE SDI
> http://www.core-sdi.com
> SSH protocol 1.5 session key recovery vulnerability
>
>

...
> -------------- cut here ----------------------------------------------
>
> --- rsaglue.c 1999/12/10 23:27:25 1.8
> +++ rsaglue.c 2001/02/03 09:42:05
> -264,7 +268,15
> mpz_clear(&aux);
>
> if (value[0] != 0 || value[1] != 2)
> - fatal("Bad result from rsa_private_decrypt");
> + {
> + static time_t last_kill_time = 0;
> + if (time(NULL) - last_kill_time > 60 && getppid() != 1)
> + {
> + last_kill_time = time(NULL);
> + kill(SIGALRM, getppid());

... This is wrong wrong wrong and will produce unpredictable results
    on the server machine and does not fix the vulnerability either.
   The correct line is:

+ kill(getppid(),SIGALRM);

Thanks to Matt Power from the Bindview RAZOR Team for
pointing this out.

The advisory at our web page has been updateed to reflect this
change.

-ivan

---
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarcecore-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================
--- For a personal reply use iarcecore-sdi.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]