Re: Some revelations about ssh and stackpatch

From: Alan J Rosenthal (flapsat_private)
Date: Tue Nov 03 1998 - 13:20:15 PST

Next message: B. James Phillippe: "Re: WatchGuard Firewall internal D.O.S"

Previous message: der Mouse: "Re: X11 cookie hijacker"
Maybe in reply to: M.C.Mar: "Some revelations about ssh and stackpatch"
Next in thread: Andy Church: "Re: Some revelations about ssh and stackpatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Look at this pice of sshd code:
...
>  log_msg("RESTART FAILED: av[0]='%s', error: %s.",
>       saved_argv[0], strerror(errno));
...
>As we read in IBM advisory log_msg just uses vsprintf to copy parsed data
>to fixed 1024 bytes leght buffer.
>So I tryed:
>execl("/path_to_sshd/sshd","AAAAAA....[about 2000]",0);

To sighup an sshd running as root, you need to be root already.
Your execl will not invoke sshd with any privileges you don't already have
from your own account.  Unless someone stupidly made sshd setuid root
(different than ssh, which arguably *should* be setuid root).

On the other hand, if sshd is run in the first place with an argv[0] of
length 2000, then you might be able to get somewhere.  But I seriously doubt
that /etc/rc.local or /etc/init.d/sshd or whatever is written to do this on
your system.

Buffer overflow bugs don't, in general, lead to exploits.  They only do if
the program in which you can induce an appropriate buffer overflow is running
with a privilege greater than you already possess.  Usually this is because
it's a process on a machine on which you don't have an account (e.g. network
services), a process already running as root, or a program which is setuid
root.  If you can invoke a program only with a privilege you already have, you
won't gain anything by making it execute code of your own choosing.  You could
have run your code (that which you run via a buffer overflow) directly.


On another ssh matter in the same message,

>Over two moths ago I found that ssh uses argv[0] (if different than ssh)
>as a hostname. (Nothing relevant huh? ;)
>1st question: is it good?

In my opinion, it's stupid, BUT:

>2nd question: is it normal?

Rlogin and rsh do this, so to be a drop-in replacement for rlogin/rsh,
ssh has to do this too, arguably.

(Incidentally, slogin is also an exception to treating argv[0] as the
hostname, as are rsh and rlogin in case you've named it that for
drop-in-replacement reasons, and so is remsh even (the name the SysV people
originally gave to bsd rsh because rsh already meant restricted shell in SysV).)

Next message: B. James Phillippe: "Re: WatchGuard Firewall internal D.O.S"
Previous message: der Mouse: "Re: X11 cookie hijacker"
Maybe in reply to: M.C.Mar: "Some revelations about ssh and stackpatch"
Next in thread: Andy Church: "Re: Some revelations about ssh and stackpatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:06 PDT