[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: libssh bugs found via fuzzing
[Thread Prev] | [Thread Next]
- Subject: Re: libssh bugs found via fuzzing
- From: Aris Adamantiadis <aris@xxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Sun, 13 Sep 2009 21:35:14 +0200
- To: libssh@xxxxxxxxxx
Jean,Thank you for your work. Andreas already corrected the two first bugs. I found the cause of the third bug : When passing a length which is not a multiple of blocksize to AES_cbc_decrypt (or equivalent), openssl pads that buffer with zeroes and then encrypt, adding the missing bytes to make the buffer a multiple of blocksize.
I will issue a fix. I will also look how complicated it is to write an exploit. I'm quite sure it is exploitable on older gnu libc. And of course the client is vulnerable as well.
Thanks again, Aris Jean Sigwald a écrit :
Hi, We are security researchers working at Orange Labs. Our area of research is focused on vulnerability research with fuzzing techniques. We found 3 issues in libssh 0.3.3 that can be used to crash the samplesshd server remotely : - missing NULL pointer check in crypt_set_algorithms_server - integer overflow in buffer_get_data - heap overflow in packet_decrypt, which seems to be caused by calling DES_ede3_cbc_encrypt with a length that is not a multiple of 8 The attached files are gdb backtraces to help you fix those issues. Best regards, Jean Sigwald
libssh bugs found via fuzzing | Jean Sigwald <jean.sigwald@xxxxxxxxxxxxxxxxxx> |