oss-sec mailing list archives
Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems
From: Qualys Security Advisory <qsa () qualys com>
Date: Wed, 3 Jul 2024 10:56:59 +0000
Hi Jacob, all, On Tue, Jul 02, 2024 at 09:01:48PM -0500, Jacob Bachmeyer wrote:
A thought occurred to me late last night: this exploit required the use of a very long fake user name (~128KB).
A side note, just in case: only our exploit against Ubuntu 6.06.1 uses a very long user name; our exploits against Debian 3.0r6 and Debian 12.5.0 simply use "nobody" (but it could be any existing user name).
If there currently really is no limit at all, outrageously long fake usernames (limited only by bandwidth and LoginGraceTime?)
There are various already-existing limits along the way, but the first one is PACKET_MAX_SIZE, which limits the size of a packet (and hence the strings it contains) to 256KB (and this is pre-authentication, so no compression tricks are possible, here). Thank you very much! With best regards, -- the Qualys Security Advisory team
Current thread:
- CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems jvoisin (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Mathias Krause (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer (Jul 02)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jeffrey Walton (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer (Jul 04)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jeffrey Walton (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 28)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Yves-Alexis Perez (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 08)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Damien Miller (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Nick Tait (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Pete Allor (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Alan Coopersmith (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Damien Miller (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems jvoisin (Jul 01)