[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)
From:       Qualys Security Advisory <qsa () qualys ! com>
Date:       2023-02-23 14:59:32
Message-ID: 20230223145926.GA7509 () localhost ! localdomain
[Download RAW message or body]

Hi Demi,

On Wed, Feb 22, 2023 at 10:17:19AM -0500, Demi Marie Obenour wrote:
> Is it possible to use this information leak to bypass ASLR without
> crashing the process?

Unfortunately, no: sshd calls _exit() immediately after this information
leak, and fork()s + re-execv()s itself (and therefore re-randomizes its
address space) the next time we connect to it; i.e., a memory address
leaked in one connection is useless in another connection.

> Also, is this flaw expected to be exploitable for code execution on
> GNU/Linux?

We are focusing on OpenBSD for now, because its malloc seems more
compatible with this particular double-free bug than glibc's malloc; we
will look into glibc/Linux at some point, and will keep you posted.

Thank you very much! With best regards,

--=20
the Qualys Security Advisory team=
[prev in list] [next in list] [prev in thread] [next in thread]