On Tue, 12 Mar 2002, H D Moore wrote: > I patched the OpenSSH client to send this corrupt zlib buffer after the > key exchange, the inflate() call on the remote end is returning the > correct value indicating that the buffer did what it was supposed to > (Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the > fatal_cleanup() and inflateEnd() calls. Taking the same buffer and > sticking it into the inflate() call of another application causes the > desired SEGV and possible path to exploitability, so why isn't OpenSSH > crashing? I think I researached this problem few months ago. I found this condition while performing fuzz-alike test on zlib, thinking specifically about one of SSH implementations. The problem with exploiting it in OpenSSH checks are strict enough to exit almost immediately, after first inflate() call returns error - while the bug needed second inflate() call or inflateEnd() call to be exploited (don't remember extactly). One way or another, I found this not exploitable and gave up on this bug. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 15:22:29 PST