Re: Security Advisory: Buffer overflow in RSAREF2

From: Gerardo Richarte (core.lists.bugtraq@CORE-SDI.COM)
Date: Thu Dec 02 1999 - 11:50:46 PST

Next message: Doug Monroe: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"

Previous message: Aleph One: "Microsoft Security Bulletin (MS99-053)"
Maybe in reply to: Gerardo Richarte: "Security Advisory: Buffer overflow in RSAREF2"
Next in thread: Niels Provos: "Re: Security Advisory: Buffer overflow in RSAREF2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gerardo Richarte wrote:
>
> While researching the exploitability of a buffer overflow in
> SSH up to version 1.2.27, we discovered a second buffer overflow
> in the implmementation of the RSA algorithm in RSAREF2 from
> RSA Data Security.

	To make this clear: in combination with the buffer overflow in rsaglue.c this makes possible to get
a remote shell on a machine running sshd AND it also makes possible to use a reverse exploit to gain access on
clients' machines, using malicious sshd.

	richie

PS: We are studding the possibility of using this buffer overflow alone, not in combination with rsaglue.c. What will make it possible to exploit it on patched ssh and sshd, and probably in OpenSSH
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera@core-sdi.com

Next message: Doug Monroe: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"
Previous message: Aleph One: "Microsoft Security Bulletin (MS99-053)"
Maybe in reply to: Gerardo Richarte: "Security Advisory: Buffer overflow in RSAREF2"
Next in thread: Niels Provos: "Re: Security Advisory: Buffer overflow in RSAREF2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:33 PDT