So is this what that teso "0day" for ssh < 3.1 was exploiting? Someone
mentioned something about not needing a user account in a different
thread I think.
-KF

Attila Nagy wrote:

>Hello,
>
>>Does anyone knows which versions of the commercial SSH (if any) are
>>vulnerable?
>>
>The diff between the vulnerable version and the good one is:
>- if (id < 0 || id > channels_alloc) {
>+ if (id < 0 || id >= channels_alloc) {
>
>The function channel_lookup appeared in channels.c on Tue Mar 28 20:31:25
>2000 UTC, 23 months, 1 week ago
>in this form:
>+ if (id < 0 && id > channels_alloc) {
>+ log("channel_lookup: %d: bad id", id);
>
>See
>http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.40&r2=1.41
>for the diff.
>
>Then on Sun Jun 25 20:17:57 2000 UTC, 20 months, 1 week ago the above line
>changed:
>- if (id < 0 && id > channels_alloc) {
>+ if (id < 0 || id > channels_alloc) {
>
>See
>http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.62&r2=1.63
>for the diff.
>
>In ssh.com's 3.1.0 there is no channels.c, or channels_alloc so I think
>this bug does not affect that (or not exactly the same way as in OpenSSH
>:).
>
>--------------------------------------------------------------------------
>Attila Nagy e-mail: Attila.Nagyfsn.hu
>Budapest Polytechnic (BMF.HU) work: +361 210 1415 (194)
>H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]