[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)
From: Qualys Security Advisory <qsa () qualys ! com>
Date: 2023-02-23 14:59:32
Message-ID: 20230223145926.GA7509 () localhost ! localdomain
[Download RAW message or body]
Hi Demi,
On Wed, Feb 22, 2023 at 10:17:19AM -0500, Demi Marie Obenour wrote:
> Is it possible to use this information leak to bypass ASLR without
> crashing the process?
Unfortunately, no: sshd calls _exit() immediately after this information
leak, and fork()s + re-execv()s itself (and therefore re-randomizes its
address space) the next time we connect to it; i.e., a memory address
leaked in one connection is useless in another connection.
> Also, is this flaw expected to be exploitable for code execution on
> GNU/Linux?
We are focusing on OpenBSD for now, because its malloc seems more
compatible with this particular double-free bug than glibc's malloc; we
will look into glibc/Linux at some point, and will keep you posted.
Thank you very much! With best regards,
--=20
the Qualys Security Advisory team=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic