|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Wednesday, 15 December 1999||Author: Quentin Cregan|
|Published to: news_enhance_security/Security News||Page: 1/1 - [Std View]|
Quick notes on ssh 1.2.27 rsaref bug posted to BugTraq.
"Doing an overflow we must provide a buffer of 136 bytes length (the input_data buffer is 128 bytes + 4 bytes for the EBP and 4 bytes for the EIP). Everything works fine until we reach the RSAPrivateDecrypt function in rsaref. This function checks the variable input_len, which is the length of the buffer (in our case it is minimum 136) against the variable modulus_len, which is 128. When this check fails (and it does), RSAPrivateDecrypt returns error, causing sshd to fall into a fatal error."