ssh.com ssh-3.2.9.1 sftp server remote off by one
ATTENTIONThis has not been tested under reallife conditions***
ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads
/*
*/
char *ssh_realpath(const char *path, char resolved)
{
struct stat sb;
int n, rootd, serrno;
…
…
…
…
…
/
if (wbuf)
{
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) //
<----- !rootd
{
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void)strcat(resolved, "/"); / XXX: strcat is safe /
(void)strcat(resolved, wbuf); / XXX: strcat is safe */
}
…
…
…
…
…
ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :
—snip—
case SSH_FXP_REALPATH:
LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));
/* Parse the REALPATH message. */
if (ssh_decode_array(data, len,
SSH_FORMAT_UINT32, &id,
SSH_FORMAT_UINT32_STR, &name, NULL,
SSH_FORMAT_END) != len || len == 0)
{
ssh_warning("ssh_file_server_receive_proc: bad REALPATH");
goto return_bad_status;
}
LOG(0, SSH_LOG_INFORMATIONAL, ("Resolving path to `%s'", name));
if (ssh_realpath(name, resolved) == NULL)
{
—snip—
old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.
big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard
Signed,
Kingcope kingcope[at]gmx.net
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/