####################################################################### Luigi Auriemma Application: Pragma FortressSSH http://www.pragmasys.com/FortressSSHServer.asp Versions: <= 5.0 Build 4 Revision 293 Platforms: Windows Bug: Denial of Service Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Pragma FortressSSH is a commercial SSH server for Windows. ####################################################################### ====== 2) Bug ====== The server, which starts a sshd.exe process for each incoming connection, uses the secure *_s functions of msvcrt for working on the incoming strings. This method allows the avoiding of buffer-overflow vulnerabilities but the process terminates and shows a message error if an exception occurs. An example is the using of a list of keys longer than 4096 which will raise the exception in vsprintf_s during the building of the formatted string, while another example is using a long username. Although the termination of a single process doesn't affect the others, the access to the server can be denied through the termination of at least 75 of these processes, after that the server will be unreachable (all the current SSH connections established before the last exception will remain up). This bad effect will finish gradually when the admin clicks on the error messages (for example if he closes the first dialogbox a new connection to the server will be possible) but naturally the attacker can continue the attack keeping the server ever unreacheable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/pragmassh.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################