Bugtraq: Re: More ssh fun (sshd this time)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: More ssh fun (sshd this time)

From: ccraig () CC GATECH EDU (Christopher Craig)
Date: Wed, 27 Aug 1997 11:48:35 -0400


Included From: Solar Designer <solar () FALSE COM>:

+   if (port > 65535)
+     packet_disconnect("Requested port is %d is invalid",port);


This still doesn't fix the problem since port is defined as a signed int,
and negative values will pass your check. Of course, their lower 16 bits
may represent a privileged port number.


The lines directly after this in the code are

    if (port < 1024 && !is_root)
      packet_disconnect("Requested forwarding of port %d but user is not root.",

It looks like that should catch negative (as well as privileged)
port numbers, so I don't think the patch really has to fix that
problem at all.

--
Christopher Craig (ccraig () cc gatech edu)
"You could shoot Microsoft Office off the planet and this country would
 run better. You would see everyone standing around saying, 'I've got
 so much time now.' "  Scott McNealy (CEO of Sun)
PGP Key Verification: EE B1 F3 A0 3F BC 3C C7  81 61 F1 91 6E 99 13 65
http://www.cc.gatech.edu/people/home/ccraig

By Date By Thread

Current thread:

Active X exploit., (continued)
- Active X exploit. Peter Shipley (Aug 25)
- Re: More ssh fun (sshd this time) Wietse Venema (Aug 25)
- Re: More ssh fun (sshd this time) Thamer Al-Herbish (Aug 23)
  - Re: More ssh fun (sshd this time) Solar Designer (Aug 27)
  - Re: More ssh fun (sshd this time) Paul H. Hargrove (Aug 27)
- Re: More ssh fun (sshd this time) Christopher Craig (Aug 27)
  - Integer Overflows Solar Designer (Aug 27)