Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ssh-1.2.27 exploit
From: core.lists.bugtraq () CORE-SDI COM (Beto)
Date: Wed, 15 Dec 1999 18:30:28 -0300

Jarek Kutylowski wrote:

I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider
ssh now as quite immune. It is of course possible to crash sshd, but
a real attack is, in my opinion, impossible.
Doing an overflow we must provide a buffer of 136 bytes length (the
input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes
for the EIP). Everything works fine until we reach the RSAPrivateDecrypt
function in rsaref. This function checks the variable input_len, which
is the length of the buffer (in our case it is minimum 136) against
the variable modulus_len, which is 128. When this check fails (and it
does), RSAPrivateDecrypt returns error, causing sshd to fall into
a fatal error.

That's right, but you can also overflow the rsa_private_decrypt's

void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey
  unsigned char input_data[MAX_RSA_MODULUS_LEN];
  unsigned char output_data[MAX_RSA_MODULUS_LEN];
  unsigned int input_len, output_len, input_bits;
  R_RSA_PRIVATE_KEY private_key;

key points to a RSAPrivateKey structure who has the modulus_len value.
So, to make the exploit work you have to overflow this pointer to a new
key with the correct modulus_len so the check you pointed before does
not return error. 
You can't put the fake key into the buffer 'cause it's too short, so you
have to find another place to put it in. That place is the
incoming_packet.buf variable. There you have 4kb (if i remember well) to
store whaterver you want. Actually the exploits sends the fake key and
the shell code after the crypted data. The first overflow makes key
point to the fake key into incoming_packet.buf and the second one in
NN_Decode() overflows RSAPrivateDecrypt()'s return address to point into 
incoming_packet.buf whereis the shell_code.

If you have any other suggestions, I'd like to hear them.


==============================[ CORE Seguridad de la Informacion S.A.
Alberto Soliño                                  WWW      
Consultor                                       Email    
:asolino () core-sdi com
Pte. Juan D. Peron 315 4p UF 17                 TE        :
CP 1038 Capital Federal                         FAX       :
Buenos Aires, Argentina

--- For a personal reply use asolino () core-sdi com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]