Some revelations about ssh and stackpatch

From: M.C.Mar (woloszynat_private)
Date: Mon Nov 02 1998 - 07:55:57 PST

Next message: Dug Song: "ssh-1.2.26 patch for log_msg() overflow"

Previous message: Joel Eriksson: "mpg123-0.59k bufferoverflow."
Next in thread: Pavel Kankovsky: "Re: Some revelations about ssh and stackpatch"
Reply: Pavel Kankovsky: "Re: Some revelations about ssh and stackpatch"
Reply: Alan J Rosenthal: "Re: Some revelations about ssh and stackpatch"
Reply: Andy Church: "Re: Some revelations about ssh and stackpatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

Over two moths ago I found that ssh uses argv[0] (if different than ssh)
as a hostname. (Nothing relevant huh? ;)
1st question: is it good?
2nd question: is it normal?

Look at this pice of sshd code:
void sighup_restart(void)
{
  log_msg("Received SIGHUP; restarting.");
  close(listen_sock);
  execvp(saved_argv[0], saved_argv);
  log_msg("RESTART FAILED: av[0]='%s', error: %s.",
      saved_argv[0], strerror(errno));
  exit(1);
}

Seems sshd does something similar.
Cool, huh?
As we read in IBM advisory log_msg just uses vsprintf to copy parsed data
to fixed 1024 bytes leght buffer.
So I tryed:
execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0);
'Cos I have stackpatch applied I saw something very strange in my
logs:
Nov  2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Server listening on port 22.
Nov  2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Generating 768 bit RSA key.
Nov  2 16:29:53 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: RSA key generation complete.

I did it as mcmar user so I tryed to log on as mcmar:

Nov  2 16:36:46 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Connection from 127.0.0.1 port 1016
Nov  2 16:36:47 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Password authentication for mcmar accepted.

And it did work.

Nov  2 16:36:54 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Closing connection to 127.0.0.1

So I logged out :)
'Cos sshd does not segfault I'm not shure what happened, but I see thet
there was "BUFFER OVERRUN ATTEMPT". Also I have no Idea WHEN my argv[0]
has changed, same sending sighup does nothing more than this:

Nov  2 16:45:04 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Received SIGHUP; restarting

I know that lookin' fer remote sshd exploit is much more fascinating, but
I'm lookin' for something else...

--
___________________________________________________________________________
M.C.Mar   An NT server can be run by an idiot, and usually is.   emsiat_private
      "If you can't make it good, make it LOOK good." - Bill Gates
  Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.

Next message: Dug Song: "ssh-1.2.26 patch for log_msg() overflow"
Previous message: Joel Eriksson: "mpg123-0.59k bufferoverflow."
Next in thread: Pavel Kankovsky: "Re: Some revelations about ssh and stackpatch"
Reply: Pavel Kankovsky: "Re: Some revelations about ssh and stackpatch"
Reply: Alan J Rosenthal: "Re: Some revelations about ssh and stackpatch"
Reply: Andy Church: "Re: Some revelations about ssh and stackpatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:42 PDT