Hi! Over two moths ago I found that ssh uses argv[0] (if different than ssh) as a hostname. (Nothing relevant huh? ;) 1st question: is it good? 2nd question: is it normal? Look at this pice of sshd code: void sighup_restart(void) { log_msg("Received SIGHUP; restarting."); close(listen_sock); execvp(saved_argv[0], saved_argv); log_msg("RESTART FAILED: av[0]='%s', error: %s.", saved_argv[0], strerror(errno)); exit(1); } Seems sshd does something similar. Cool, huh? As we read in IBM advisory log_msg just uses vsprintf to copy parsed data to fixed 1024 bytes leght buffer. So I tryed: execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0); 'Cos I have stackpatch applied I saw something very strange in my logs: Nov 2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Server listening on port 22. Nov 2 16:29:52 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Generating 768 bit RSA key. Nov 2 16:29:53 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: RSA key generation complete. I did it as mcmar user so I tryed to log on as mcmar: Nov 2 16:36:46 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Connection from 127.0.0.1 port 1016 Nov 2 16:36:47 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Password authentication for mcmar accepted. And it did work. Nov 2 16:36:54 emsi <BUFFER OVERRUN ATTEMPT>[21762]: log: Closing connection to 127.0.0.1 So I logged out :) 'Cos sshd does not segfault I'm not shure what happened, but I see thet there was "BUFFER OVERRUN ATTEMPT". Also I have no Idea WHEN my argv[0] has changed, same sending sighup does nothing more than this: Nov 2 16:45:04 emsi <BUFFER OVERRUN ATTEMPT>[21738]: log: Received SIGHUP; restarting I know that lookin' fer remote sshd exploit is much more fascinating, but I'm lookin' for something else... -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsiat_private "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:42 PDT