exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ssh3291-offbyone.txt

ssh3291-offbyone.txt
Posted May 15, 2007
Authored by Kingcope

The sftp server in ssh-3.2.9.1 from ssh.com may suffer from a remote off by one vulnerability.

tags | advisory, remote
SHA-256 | 8c93956e7669b4b8dc0b881882b3149e989a9c3c49c14cf81f26ba0dd84b0f15

ssh3291-offbyone.txt

Change Mirror Download
ssh.com ssh-3.2.9.1 sftp server remote off by one

***ATTENTION***This has not been tested under reallife conditions***

ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads

/*
* char *ssh_realpath(const char *path, char resolved_path[MAXPATHLEN]);
*
* Find the real name of path, by removing all ".", ".." and symlink
* components. Returns (resolved) on success, or (NULL) on failure,
* in which case the path which caused trouble is left in (resolved).
*
*/
char *ssh_realpath(const char *path, char *resolved)
{
struct stat sb;
int n, rootd, serrno;
...
...
...
...
...
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;

if (*wbuf)
{
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) //
<----- !rootd
{
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void)strcat(resolved, "/"); /* XXX: strcat is safe */
(void)strcat(resolved, wbuf); /* XXX: strcat is safe */
}
...
...
...
...
...

ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :

---snip---
case SSH_FXP_REALPATH:
LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));

/* Parse the REALPATH message. */
if (ssh_decode_array(data, len,
SSH_FORMAT_UINT32, &id,
SSH_FORMAT_UINT32_STR, &name, NULL,
SSH_FORMAT_END) != len || len == 0)
{
ssh_warning("ssh_file_server_receive_proc: bad REALPATH");
goto return_bad_status;
}

LOG(0, SSH_LOG_INFORMATIONAL, ("Resolving path to `%s'", name));

if (ssh_realpath(name, resolved) == NULL)
{
---snip---

old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.


big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard

Signed,
Kingcope kingcope[at]gmx.net

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close