Date: Fri, 15 Jan 2016 16:58:07 +0100 From: "Jason A. Donenfeld" <Jason@...c4.com> To: oss-security <oss-security@...ts.openwall.com>, Qualys Security Advisory <qsa@...lys.com> Subject: Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 On Fri, Jan 15, 2016 at 4:56 PM, Jason A. Donenfeld <Jason@...c4.com> wrote: > Great work Qualys. One question about the PoC: > > On Thu, Jan 14, 2016 at 6:13 PM, Qualys Security Advisory > <qsa@...lys.com> wrote: >> # env ROAMING="heap_massaging:linux" "`pwd`"/sshd -o ListenAddress=127.0.0.1:222 -o >> UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key > > Does your proof of concept patch actually include support for this > heap_massaging mode? Read more carefully, answered my own question: > - Massage the client's heap before roaming_reply() malloc()ates out_buf, > and force malloc() to return a previously free()d but uncleansed chunk > of sensitive information. The simple proof-of-concept in this advisory > does not implement heap massaging. That's a shame. Please reconsider.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ