[Fwd: sshd ioctl bug?]

From: Gabriel A. Maggiotti (gmaggiotat_private)
Date: Fri Feb 22 2002 - 08:08:07 PST

Next message: Pavel Kankovsky: "Re: sshd ioctl bug?"

Previous message: Eric Brandwine: "Re: SNMP vuln dated in 1997"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

attached mail follows:

"Gabriel A. Maggiotti" wrote: > ------------------------------------------------------------------------ > --------------------------------------------------------------------------- > Web: http://qb0x.net Author: Gabriel A. Maggiotti > Date: Febrary 03, 2002 E-mail: gmaggiotat_private > --------------------------------------------------------------------------- > > I have recently found a new bug in sshd deamons, I tested successfully > this versions: > > - SSH-1.99-OpenSSH_2.1.1 > - SSH-1.99-OpenSSH_2.9p2 > - SSH-1.99-OpenSSH_3.0p1 > > If you send a langer string occurs this: > > perl -e 'printf "A"x111100' >a > telnet host 22 < a > > <quote> > Escape character is '^]'. > SSH-1.99-OpenSSH_2.9p2 > pluto.net: Inappropriate ioctl for device > Protocol mismatch. > Connection closed by foreign host. > </quote> > > I tested and if the string is smaller than 16384 nothing occurs, see: > > <quote> > > [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a > [root@pluto openssh-2.9p2]# telnet pluto 22 <a > Trying 192.168.0.2... > Connected to pluto.net. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.9p2 > pluto.net: Inappropriate ioctl for device > Protocol mismatch. > > </quote> > > and if is just 16384... > > <quote> > > [root@pluto openssh-2.9p2]# perl -e 'printf "A"x16384' >a > [root@pluto openssh-2.9p2]# telnet pluto 22 <a > Trying 192.168.0.2... > Connected to pluto.net. > Escape character is '^]'. > pluto.net: Inappropriate ioctl for device > SSH-1.99-OpenSSH_2.9p2 > Protocol mismatch. > Connection closed by foreign host. > > </quote> > > Is this a real security problem? > > --------------------------------------------------------------------------- > research-listiat_private is dedicated to interactively researching vulnerab- > ilities, report potential or undeveloped holes in any kind of computer system. > To subscribe to research-listat_private t send a blank email to > research-list-subscribeat_private More help available sending an email > to research-list-helpat_private > Note: the list doesn't allow html, it will be stripped from messages. > --------------------------------------------------------------------------- I make a big mistake, the ioctl error wasn't sshd error, the telnet client do it. I prove it with nc and nothing occurs, sorry .

Next message: Pavel Kankovsky: "Re: sshd ioctl bug?"
Previous message: Eric Brandwine: "Re: SNMP vuln dated in 1997"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 09:16:03 PST