Re: More ssh fun (sshd this time)

Wietse Venema (wietse@WZV.WIN.TUE.NL)
Mon, 25 Aug 1997 18:48:33 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-97:04.procfs"
Previous message: Peter Shipley: "Active X exploit."
Maybe in reply to: Ivo van der Wijk: "More ssh fun (sshd this time)"
Next in thread: Solar Designer: "Re: More ssh fun (sshd this time)"

[Reposted. The previous copy disappeared after being forwarded by
the listserv -- Wietse]

Ivo van der Wijk:
> - This could also be considered a bug in bind(), because it doesn't wrap
> portnumbers > 65536, but still, it makes sshd vurnerable, at least on Linux
> (2.0.29), Solaris 2.4 and SunOs 4.1.4

Actually, the port number passed to bind() is a 16-bit quantity
(the sin_port member of a struct sockaddr_in).

The fix would be to compare nthos(foo.sin_port) with IPPORT_RESERVED.
By sheer dumb luck, this is exactly what I did in my hacked FTP daemon.

Wietse

Next message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-97:04.procfs"
Previous message: Peter Shipley: "Active X exploit."
Maybe in reply to: Ivo van der Wijk: "More ssh fun (sshd this time)"
Next in thread: Solar Designer: "Re: More ssh fun (sshd this time)"