[From nobody Thu Jul 10 01:34:18 2008 Return-Path: <nisse@lysator.liu.se> X-Original-To: bet@tinho.net Delivered-To: bet@tinho.net Received: from mauve.rahul.net (mauve.rahul.net [66.237.72.25]) by absinthe.tinho.net (Postfix) with ESMTP id 8A8FC41E04 for <bet@tinho.net>; Thu, 18 Sep 2003 16:29:16 -0400 (EDT) Received: by mauve.rahul.net (Postfix) id 273BC2B586; Thu, 18 Sep 2003 13:29:16 -0700 (PDT) Delivered-To: bet@rahul.net Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) by mauve.rahul.net (Postfix) with ESMTP id AF22F2B582 for <bet@rahul.net>; Thu, 18 Sep 2003 13:29:15 -0700 (PDT) Received: by mail.lysator.liu.se (Postfix, from userid 1646) id 75DF09F30B; Thu, 18 Sep 2003 22:29:11 +0200 (MEST) Received: from sellafield.lysator.liu.se (sellafield.lysator.liu.se [130.236.254.103]) by mail.lysator.liu.se (Postfix) with ESMTP id E19909E1CE; Thu, 18 Sep 2003 22:29:07 +0200 (MEST) Received: from sellafield.lysator.liu.se (smmsp@localhost [127.0.0.1]) by sellafield.lysator.liu.se (8.12.9/8.8.7) with ESMTP id h8IKT7sK017536; Thu, 18 Sep 2003 22:29:07 +0200 (MEST) Received: (from nisse@localhost) by sellafield.lysator.liu.se (8.12.9/8.12.8/Submit) id h8IKT341017533; Thu, 18 Sep 2003 22:29:03 +0200 (MEST) X-Authentication-Warning: sellafield.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f Sender: nisse@lysator.liu.se To: lsh-bugs@lists.lysator.liu.se Cc: Bennett Todd <bet@rahul.net>, Simon Josefsson <jas@extundo.com> Subject: lshd buffer overrun. Possibly remote root compromise. References: <20030918145022.GB20812@rahul.net> <ilu8yomqbll.fsf@latte.josefsson.org> Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit From: nisse@lysator.liu.se (Niels =?iso-8859-1?q?M=F6ller?=) Date: 18 Sep 2003 22:29:03 +0200 In-Reply-To: <ilu8yomqbll.fsf@latte.josefsson.org> Message-ID: <nnhe39g7sg.fsf_-_@sellafield.lysator.liu.se> User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PATCH_UNIFIED_DIFF, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA,X_AUTH_WARNING autolearn=ham version=2.55-lysator_tokaimura_1.1 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55-lysator_tokaimura_1.1 (1.174.2.19-2003-05-19-exp) Summary: PLEASE DISABLE LSHD SERVICE. Apply below patch. Simon Josefsson <jas@extundo.com> writes: > FWIW, I can reproduce it: > > lshd: write_buffer: do_write length = 256 > lshd: write_buffer: do_write closure->length = 293 > lshd: garbage collecting... > lshd: gc_mark: Memory corrupted! > Aborted > > I think it has nothing to do with the actual bits sent, but rather > that some earlier random data caused the code to take a rarely tested > execution path, which has garbage collect bugs in it, which is > discovered a while later. I'm afraid it's worse than that. It seems to be a genuine buffer overrun, on the heap. It's the buffer in read_line.c, /* GABA: (class (name read_line) (super read_handler) (vars (handler object line_handler) (e object exception_handler) ; Line buffer (pos . uint32_t) (buffer array uint8_t MAX_LINE))) */ The below patch should fix the bug. It's a case of checking for an error, reporting it, and then forgetting to return from the function. Instead the code just went on overwriting the buffer. Pretty embarrassing. diff -u -a -r1.31 read_line.c --- src/read_line.c 16 Feb 2003 21:30:11 -0000 1.31 +++ src/read_line.c 18 Sep 2003 20:02:48 -0000 @@ -100,6 +100,7 @@ /* Too long line */ EXCEPTION_RAISE(self->e, make_protocol_exception(0, "Line too long.")); + return available; } /* Ok, now we have a line. Copy it into the buffer. */ The buggy code was checked in a little more than four years ago, 1999-08-22, at about this time of day. I'm *not* going to bet that it isn't exploitable. I'll try to get new releases out within a few days, until then, I recommend that you apply the above patch to lshd and recompile, or disable lshd service. Thanks to Bennett Todd for reporting the problem. Sorry about the trouble. Regards, /Niels ]