Jarek Kutylowski wrote: > > I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider > ssh now as quite immune. It is of course possible to crash sshd, but > a real attack is, in my opinion, impossible. > Doing an overflow we must provide a buffer of 136 bytes length (the > input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes > for the EIP). Everything works fine until we reach the RSAPrivateDecrypt > function in rsaref. This function checks the variable input_len, which > is the length of the buffer (in our case it is minimum 136) against > the variable modulus_len, which is 128. When this check fails (and it > does), RSAPrivateDecrypt returns error, causing sshd to fall into > a fatal error. That's right, but you can also overflow the rsa_private_decrypt's arguments: void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key) { unsigned char input_data[MAX_RSA_MODULUS_LEN]; unsigned char output_data[MAX_RSA_MODULUS_LEN]; unsigned int input_len, output_len, input_bits; R_RSA_PRIVATE_KEY private_key; key points to a RSAPrivateKey structure who has the modulus_len value. So, to make the exploit work you have to overflow this pointer to a new key with the correct modulus_len so the check you pointed before does not return error. You can't put the fake key into the buffer 'cause it's too short, so you have to find another place to put it in. That place is the incoming_packet.buf variable. There you have 4kb (if i remember well) to store whaterver you want. Actually the exploits sends the fake key and the shell code after the crypted data. The first overflow makes key point to the fake key into incoming_packet.buf and the second one in NN_Decode() overflows RSAPrivateDecrypt()'s return address to point into incoming_packet.buf whereis the shell_code. > > If you have any other suggestions, I'd like to hear them. > -- ==============================[ CORE Seguridad de la Informacion S.A. ]======= Alberto Soliņo WWW :www.core-sdi.com Consultor Email :asolino@core-sdi.com Pte. Juan D. Peron 315 4p UF 17 TE : +54-11-4331-5409 CP 1038 Capital Federal FAX : +54-11-4331-5402 Buenos Aires, Argentina ============================================================================== --- For a personal reply use asolino@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:22 PDT