[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: the other bug I mentioned (fwd)
From:       halflife <halflife () saturn ! net>
Date:       1996-01-19 1:29:58
[Download RAW message or body]



---------- Forwarded message ----------
Date: Thu, 18 Jan 96 17:35:12 EST
From: Barry Jaspan <bjaspan@bbnplanet.com>
To: ssh-bugs@cs.hut.fi
Cc: ssh@cs.hut.fi
Subject: the other bug I mentioned


I mentioned in a previous message that I had found another bug in SSH.
Here it is:

  /* Now that we are back to our own permissions, create ~/.ssh directory
     if it doesn\'t already exist. */
  sprintf(buf, "%s/%s", pw->pw_dir, SSH_USER_DIR);

The program does not perform bounds checking on pw->pw_dir.  In an NIS
environment, an attacker could forge an NIS response with an overly
long homedir and overwrite the buffer.  The simple way to exploit this
bug would be to send garbage data, causing ssh to coredump and reveal
the host's key (as in my previous attack).  A more insidous attack
would be to send a homedir string that contained executable code that,
say, instructed ssh to mail the USER'S private key to the attacker
elsewhere on the network, and then allow ssh to continue running.

This is the same form of attack that the Morris internet worm used on
November 2, 1988.

This is obviously much harder to exploit, but also more dangerous.
Luckily, it is also easy to fix. :-)

Barry

[prev in list] [next in list] [prev in thread] [next in thread]