Is OpenSSH vulnerable to the ZLIB problem or isn't it?
Dave Dykstra
dwd at bell-labs.com
Thu Apr 4 03:08:44 EST 2002
I'm disappointed that nobody has replied to my question. OpenSSH
development team, isn't the potential for a remote root exploit something
that's important to you? Many other tools that use zlib have issued a
public statement saying they are or they are not vulnerable.
- Dave
On Fri, Mar 22, 2002 at 12:37:35PM -0600, Dave Dykstra wrote:
> SSH.COM says their SSH2 is not vulnerable to the ZLIB problem even though
> they use the library (details below). Can OpenSSH say the same thing?
>
> In either case, it seems like there ought to be an openssh-unix-announce
> message about what the situation is. I may have missed it, but I don't
> believe there was one. Yes, openssh doesn't have its own copy of zlib
> source but it would still be helpful to have a statement, especially since
> it appears under protocol 2 that it's potentially exploitable before
> authentication.
>
> - Dave Dykstra
>
>
> ----- Forwarded message from Erik Parker <eparker at mindsec.com> -----
>
> Mailing-List: contact secureshell-help at securityfocus.com; run by ezmlm
> List-Post: <mailto:secureshell at securityfocus.com>
> List-Help: <mailto:secureshell-help at securityfocus.com>
> List-Unsubscribe: <mailto:secureshell-unsubscribe at securityfocus.com>
> List-Subscribe: <mailto:secureshell-subscribe at securityfocus.com>
> Delivered-To: mailing list secureshell at securityfocus.com
> Delivered-To: moderator for secureshell at securityfocus.com
> Date: Wed, 20 Mar 2002 12:59:59 -0600 (CST)
> From: Erik Parker <eparker at mindsec.com>
> To: secureshell at securityfocus.com
> Subject: RE: ZLIB.. WHere is SSH.COM?! Part 2 (fwd)
>
> ---------- Forwarded message ----------
> Date: Mon, 18 Mar 2002 08:08:41 -0800
> From: Thi Le <tle at ssh.com>
> To: Erik Parker <eparker at mindsec.com>
> Subject: RE: ZLIB.. WHere is SSH.COM?!
>
> Dear Erik,
>
> We sincerely apologize for the delay in responding to your question and concerns.
>
> Below are the comments from our product management team:
>
> There has been a vulnerability in zlib compression library that is being
> used by SSH Secure Shell and numerous other applications and operating
> systems.
>
> SSH Secure Shell is NOT vulnerable to this thanks to our implementation
> style.
>
> Our software is using the vulnerable zlib library, but it can't be
> exploited. If someone tries to perform an exploit only that specific
> connection will crash. Not the server nor any other connections.
>
> We will upgrade the zlib library in our future releases.
>
> CERT and CERT-FI has been notified, no other reaction is necessary at this
> point.
>
> For further technical information, please see the technical explanation
> below.
>
> The problem works as follows: when a maliciously corrupted compressed
> data stream is decompressed, it can cause the function
> inflate_blocks() to enter a certain state and return FALSE. If called
> again in this state, this function can cause a heap corruption
> exploitable by the attacker. (More precisely, both the first and the
> second call will attempt to free the same pointer. This is layed out
> in more detail in the advisory.)
>
> We do not use the zlib directly. Instead, we use a wrapper library
> bufzip that is the only point in our code that is in directly contact
> to the zlib.
>
> The crucial point is this: if bufzip calls the misbehaving function in
> the zlib, it always checks whether the return value is TRUE. If not,
> it terminates the process with a message that the compressed data
> stream is corrupted.
>
> Consequently, every attempt to attack makes the connection collapse
> with a nasty error, which is exactly what we want if an attack is
> going on. No other effects are possible.
>
> I hope that answers your question & concerns. Please feel free to contact
> me if I can be of any further assistance.
>
> Sincerely,
> Thi Le
> Eastern Region Territory Manager
> SSH Communications Security
>
>
> ----- End forwarded message -----
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list