Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17054
HistoryMay 19, 2007 - 12:00 a.m.

[Full-disclosure] ssh.com ssh-3.2.9.1 sftp server remote off by one

2007-05-1900:00:00
vulners.com
12
JSON

ssh.com ssh-3.2.9.1 sftp server remote off by one

ATTENTIONThis has not been tested under reallife conditions***

ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads

/*

  • char *ssh_realpath(const char *path, char resolved_path[MAXPATHLEN]);
  • Find the real name of path, by removing all ".", "…" and symlink
  • components. Returns (resolved) on success, or (NULL) on failure,
  • in which case the path which caused trouble is left in (resolved).

*/
char *ssh_realpath(const char *path, char resolved)
{
struct stat sb;
int n, rootd, serrno;





/

  • Join the two strings together, ensuring that the right thing
  • happens if the last component is empty, or the dirname is root.
    */
    if (resolved[0] == '/' && resolved[1] == '\0')
    rootd = 1;
    else
    rootd = 0;

if (wbuf)
{
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) //
<----- !rootd
{
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void)strcat(resolved, "/"); / XXX: strcat is safe /
(void)strcat(resolved, wbuf); / XXX: strcat is safe */
}




ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :

—snip—
case SSH_FXP_REALPATH:
LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));

  /* Parse the REALPATH message. */
  if &#40;ssh_decode_array&#40;data, len,
                       SSH_FORMAT_UINT32, &amp;id,
                       SSH_FORMAT_UINT32_STR, &amp;name, NULL,
                       SSH_FORMAT_END&#41; != len || len == 0&#41;
    {
      ssh_warning&#40;&quot;ssh_file_server_receive_proc: bad REALPATH&quot;&#41;;
      goto return_bad_status;
    }

  LOG&#40;0, SSH_LOG_INFORMATIONAL, &#40;&quot;Resolving path to &#96;&#37;s&#39;&quot;, name&#41;&#41;;

  if &#40;ssh_realpath&#40;name, resolved&#41; == NULL&#41;
    {

—snip—

old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.

big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard

Signed,
Kingcope kingcope[at]gmx.net

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON