Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [VulnWatch] exploiting the zlib bug in openssh
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 12 Mar 2002 12:12:51 -0500 (EST)

On Tue, 12 Mar 2002, H D Moore wrote:

I patched the OpenSSH client to send this corrupt zlib buffer after the
key exchange, the inflate() call on the remote end is returning the
correct value indicating that the buffer did what it was supposed to
(Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the
fatal_cleanup() and inflateEnd()  calls.  Taking the same buffer and
sticking it into the inflate() call of another application causes the
desired SEGV and possible path to exploitability, so why isn't OpenSSH
crashing?

I think I researached this problem few months ago. I found this condition
while performing fuzz-alike test on zlib, thinking specifically about one
of SSH implementations. The problem with exploiting it in OpenSSH checks
are strict enough to exit almost immediately, after first inflate() call
returns error - while the bug needed second inflate() call or inflateEnd()
call to be exploited (don't remember extactly). One way or another, I
found this not exploitable and gave up on this bug.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/


  By Date           By Thread  

Current thread:
  • Re: [VulnWatch] exploiting the zlib bug in openssh Michal Zalewski (Mar 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]