Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: R7-0009: Vulnerabilities in SSH2 Implementations
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 16 Dec 2002 17:14:03 -0500 (EST)

Suite testing like Rapid7 has just released is basically a new
paradigm, and very few people seem to be doing it despite its
unprecedented power.  Since the scale of it is much larger than
"normal" testing, it will take a while to iron out the kinks :)

Even the PROTOS reports (SNMP or LDAP) do not explicitly say which
vendor was vulnerable to which individual test case.  Many vendors
don't say (or even know) which bug was fixed and where (because, for
example, the security response teams may only have what the developers
have told them).  In addition, you can have lots of interactions going
on between the test cases; as a simple example, NULL dereferences may
show up as the result of a long input, which could cause someone to
interpret the data as a buffer overflow because a crash happened.  See
my report on FTP client directory traversal for another example of
unusual interactions, in which test cases sometimes had to be

You list his implementation as vulnerable in an advisory that talks
about those types of vulnerabilities, and later you quote the vendor
saying it is not an issue, with no commentary whatsoever. He is
confused. It takes time to find out.

I suspect that very few information consumers actually examine and
understand the details at this level.  Otherwise we would see
questions/comments like this a lot more frequently.  This lack of
clarity seems to happen a lot when advisories describe multiple
vulnerabilities.  A "matrix" of bugs-versus-versions might help, but
as I said, this type of detail is not always available.

- Steve
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Re: R7-0009: Vulnerabilities in SSH2 Implementations Steven M. Christey (Dec 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]