[Full-Disclosure] openssh remote exploit
Darren Reed
avalon at caligula.anu.edu.au
Tue Sep 16 02:47:39 BST 2003
In some mail from auto64746 at hushmail.com, sie said:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> you can see the 2 bugs in this code?, seems to of me that theo could
> not. i am of understanding that there are exploits working on this in
> the wild. 3 remote holes in default install now !
Well, I can see at least one bug but it's not security related:
If "Buffer->alloc == X" (but offset == end == 0) and "len == X" then
it allocates an extra "X + 32k" bytes rather than filling the existing
buffer exactly. That, however wasteful, may be part of the design as
it is hard to judge it alone like that.
Maybe if you can see others you'll highlight them ?
Darren
Full-Disclosure is hosted and sponsored by Secunia.