| Date: Thu, 18 Jan 96 17:35:12 EST
| From: Barry Jaspan <bjaspan @
bbnplanet .
com>
| Subject: the other bug I mentioned
|
|
| I mentioned in a previous message that I had found another bug in SSH.
| Here it is:
|
| /* Now that we are back to our own permissions, create ~/.ssh directory
| if it doesn\'t already exist. */
| sprintf(buf, "%s/%s", pw->pw_dir, SSH_USER_DIR);
|
| The program does not perform bounds checking on pw->pw_dir. In an NIS
| environment, an attacker could forge an NIS response with an overly
| long homedir and overwrite the buffer. The simple way to exploit this
| bug would be to send garbage data, causing ssh to coredump and reveal
| the host's key (as in my previous attack). A more insidous attack
| would be to send a homedir string that contained executable code that,
| say, instructed ssh to mail the USER'S private key to the attacker
| elsewhere on the network, and then allow ssh to continue running.
|
| This is the same form of attack that the Morris internet worm used on
| November 2, 1988.
|
| This is obviously much harder to exploit, but also more dangerous.
| Luckily, it is also easy to fix. :-)
|
| Barry
|
|
|
