pragmassh-adv.txt

pragmassh-adv.txt: Posted Jan 5, 2008; Authored by Luigi Auriemma | Site aluigi.org; Pragma FortressSSH versions 5.0 Build 4 Revision 293 and below suffer from a denial of service vulnerability.; tags | advisory, denial of service; SHA-256 | 47404a6f184514f51ba1990f501289d9357be57d1719c236cf552bd634c6620a; Download | Favorite | View

pragmassh-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Pragma FortressSSH
              http://www.pragmasys.com/FortressSSHServer.asp
Versions:     <= 5.0 Build 4 Revision 293
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         02 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Pragma FortressSSH is a commercial SSH server for Windows.


#######################################################################

======
2) Bug
======


The server, which starts a sshd.exe process for each incoming
connection, uses the secure *_s functions of msvcrt for working on the
incoming strings.
This method allows the avoiding of buffer-overflow vulnerabilities but
the process terminates and shows a message error if an exception
occurs.

An example is the using of a list of keys longer than 4096 which will
raise the exception in vsprintf_s during the building of the formatted
string, while another example is using a long username.

Although the termination of a single process doesn't affect the others,
the access to the server can be denied through the termination of at
least 75 of these processes, after that the server will be unreachable
(all the current SSH connections established before the last exception
will remain up).

This bad effect will finish gradually when the admin clicks on the
error messages (for example if he closes the first dialogbox a new
connection to the server will be possible) but naturally the attacker
can continue the attack keeping the server ever unreacheable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/pragmassh.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################

Top Authors In Last 30 Days

Red Hat 278 files
indoushka 175 files
Ubuntu 101 files
Gentoo 32 files
Debian 21 files
Apple 11 files
LiquidWorm 10 files
malvuln 8 files
Google Security Research 6 files
Rubén López Herrera 5 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,138)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,509)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,012)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,908)
UNIX (9,467)
UnixWare (188)
Windows (6,783)
Other

pragmassh-adv.txt

pragmassh-adv.txt

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

pragmassh-adv.txt

Share This

pragmassh-adv.txt

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems