Re: A couple of patches (RFC931 and scp location)

Matt Simmons (simmonmt@CS.PURDUE.EDU)
Sun, 08 Jun 1997 17:08:23 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Joe Zbiciak: "Re: A couple of patches (RFC931 and scp location)"
Previous message: Dominique Brezinski: "Security Conference Announcement - Black Hat Briefings"

I added the authuser code from wu-ftpd 2.4 to ssh, and mentioned it in
a post to the ssh list. One of the subscribers to that list, Benjamin
Stassart, looked through it and found a possible buffer overrun. His
message is included below - it refers to authuser.c from the support
directory of the wu-ftpd distribution. Is this overrun exploitable
and therefore nasty & bad?

Matt

Benjamin J Stassart <dszd0g@dasb.fhda.edu> writes:
> [...]
>
> Also, unless I am mistaken it appears you could over-run one of the
> buffers in authuser.c with spaces or tabs. What this would be able to
> accomplish I do not know, but it should be fixed.
>
> while ((w = read(s, &ch, 1)) == 1) {
> *buf = ch;
> if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
> ++buf;
> if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
> '\n'))
> break;
> }
>
> Switching the if statements should fix the problem I believe?
>
> [...]
>
> As for ease of overflowing the buffer, I would say pretty easy. I have
> hacked up pidentd source quite a bit. It is not difficult. Since the
> buffer is just read directly from the socket, well...
>
> Benjamin J. Stassart

Next message: Joe Zbiciak: "Re: A couple of patches (RFC931 and scp location)"
Previous message: Dominique Brezinski: "Security Conference Announcement - Black Hat Briefings"