search for: detect_attack

Hi All, Did anybody ever had problems created by static h in function detect_attack() in deattack.c? In our system which is based on pSOS OS, this static h is causing a crash, because after closing first ssh session, it pSOS system is allocating same memory to another ssh session and this static h is overwriting that memory. I would appreciate if you know why h is statically a...

...oblem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. Impact: Insufficient range control calculations (16-bit unsigned variable is used instead of 32-bit, which causes integer overflow) in the detect_attack() function leads to table index overflow bug. This effectively allows an attacker to overwrite arbitrary portions of memory. The altered memory locations affect code that is executed by the daemon with uid 0, and this can be leveraged to obtain general root access to the system. Details: When t...

...atch in a directory. Decompress the ssh-1.2.31.tar.gz package: tar xzvf ssh-1.2.31.tar.gz Apply the patch: patch < ssh-1.2.31-deattach.patch Compile the ssh package. --- ssh-1.2.31/deattack.c-old Wed Feb 7 19:45:16 2001 +++ ssh-1.2.31/deattack.c Wed Feb 7 19:54:11 2001 @@ -79,7 +79,7 @@ detect_attack(unsigned char *buf, word32 len, unsigned char *IV) { static word16 *h = (word16 *) NULL; - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE; + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE; register word32 i, j; word32 l; register unsigned char *c; -------------------...

...gt; --- deattack.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) diff -uprN openssh-4.3p2/deattack.c openssh-4.3p2-kylie/deattack.c --- openssh-4.3p2/deattack.c 2003-09-22 06:04:23.000000000 -0500 +++ openssh-4.3p2-kylie/deattack.c 2006-05-04 15:10:19.000000000 -0500 @@ -137,7 +137,7 @@ detect_attack(u_char *buf, u_int32_t len for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { - if (!CMP(c, IV)) { + if (IV && !CMP(c, IV)) { if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else

...to see if the hash table has grown. If pSOS OS is having issues I'd question your compiler or OS for reallocating memory that should be tagged as used. - Ben On Wed, 15 May 2002, Amandeep Singh wrote: > Hi All, > > Did anybody ever had problems created by static h in function > detect_attack() in deattack.c? In our system which is based on pSOS OS, this > static h is causing a crash, because after closing first ssh session, it > pSOS system is allocating same memory to another ssh session and this static > h is overwriting that memory. > > I would appreciate if you know...

This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH