The Dropbear SSH server suffers from a use-after-free vulnerability that allows for arbitrary code execution.
64265ec1c523533339855204fdc6f2a60efec7010b11b476bb2709c5aaf7b16e
Dropbear SSH server use-after-free vulnerability
Impact: A remote authenticated user can execute arbitrary code on the
target system.
Class: Use After Free - CWE-416
CVE ID: CVE-2012-0920
CVSS: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
Description:
This vulnerability is located within the Dropbear daemon and occurs due
to the way the server manages channels concurrency. A specially crafted
request can trigger a `use after free` condition which can be used to
execute arbitrary code under root privileges provided the user has been
authenticated using a public key (authorized_keys file) and a command
restriction is enforced (command option).
Solution: Upgrade to version 2012.55 or higher.
Reference: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
Disclosure Timeline:
2012-01-24 - Vulnerability reported to vendor.
2012-02-24 - Coordinated public release of advisory.
Credit:
This vulnerability was discovered by Danny Fullerton from Mantor
Organization.
Special thanks to Matt.