Re: ssh-1.2.27 exploit

From: Beto (core.lists.bugtraq@CORE-SDI.COM)
Date: Wed Dec 15 1999 - 13:30:28 PST

Next message: luciano: "Infoseek Ultraseek Remote Buffer Overflow"

Previous message: Wakko Ellington Warner-Warner III: "Oops, my apologies."
Maybe in reply to: Jarek Kutylowski: "ssh-1.2.27 exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jarek Kutylowski wrote:
> 
> I have now worked on the ssh-1.2.27 rsaref buffer overflow and consider
> ssh now as quite immune. It is of course possible to crash sshd, but
> a real attack is, in my opinion, impossible.
> Doing an overflow we must provide a buffer of 136 bytes length (the
> input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes
> for the EIP). Everything works fine until we reach the RSAPrivateDecrypt
> function in rsaref. This function checks the variable input_len, which
> is the length of the buffer (in our case it is minimum 136) against
> the variable modulus_len, which is 128. When this check fails (and it
> does), RSAPrivateDecrypt returns error, causing sshd to fall into
> a fatal error.

That's right, but you can also overflow the rsa_private_decrypt's
arguments:

void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey
*key)
{
  unsigned char input_data[MAX_RSA_MODULUS_LEN];
  unsigned char output_data[MAX_RSA_MODULUS_LEN];
  unsigned int input_len, output_len, input_bits;
  R_RSA_PRIVATE_KEY private_key;

key points to a RSAPrivateKey structure who has the modulus_len value.
So, to make the exploit work you have to overflow this pointer to a new
key with the correct modulus_len so the check you pointed before does
not return error. 
You can't put the fake key into the buffer 'cause it's too short, so you
have to find another place to put it in. That place is the
incoming_packet.buf variable. There you have 4kb (if i remember well) to
store whaterver you want. Actually the exploits sends the fake key and
the shell code after the crypted data. The first overflow makes key
point to the fake key into incoming_packet.buf and the second one in
NN_Decode() overflows RSAPrivateDecrypt()'s return address to point into 
incoming_packet.buf whereis the shell_code.

> 
> If you have any other suggestions, I'd like to hear them.
> 

-- 

==============================[ CORE Seguridad de la Informacion S.A.
]=======
Alberto Soliño                                  WWW      
:www.core-sdi.com
Consultor                                       Email    
:asolino@core-sdi.com
Pte. Juan D. Peron 315 4p UF 17                 TE        :
+54-11-4331-5409
CP 1038 Capital Federal                         FAX       :
+54-11-4331-5402
Buenos Aires, Argentina
==============================================================================

--- For a personal reply use asolino@core-sdi.com

Next message: luciano: "Infoseek Ultraseek Remote Buffer Overflow"
Previous message: Wakko Ellington Warner-Warner III: "Oops, my apologies."
Maybe in reply to: Jarek Kutylowski: "ssh-1.2.27 exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:22 PDT