Is OpenSSH vulnerable to the ZLIB problem or isn't it?

Markus Friedl markus at openbsd.org
Thu Apr 4 05:19:40 EST 2002 

On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> > SSH Secure Shell is NOT vulnerable to this thanks to our implementation
> > style.

I don't think this is true.  They seem to call inflateEnd()
if inflate() fails.  OpenSSH did the same. however, since
I have no idea how to exploit this I cannot tell you wether we
are vulnerable.  But you should upgrade zlib in any case...


> > Our software is using the vulnerable zlib library, but it can't be
> > exploited. If someone tries to perform an exploit only that specific
> > connection will crash. Not the server nor any other connections.
> > 
> > We will upgrade the zlib library in our future releases.
> > 
> > CERT and CERT-FI has been notified, no other reaction is necessary at this
> > point.
> > 
> > For further technical information, please see the technical explanation
> > below.
> > 
> > The problem works as follows: when a maliciously corrupted compressed
> > data stream is decompressed, it can cause the function
> > inflate_blocks() to enter a certain state and return FALSE.  If called
> > again in this state, this function can cause a heap corruption
> > exploitable by the attacker.  (More precisely, both the first and the
> > second call will attempt to free the same pointer.  This is layed out
> > in more detail in the advisory.)
> > 
> > We do not use the zlib directly.  Instead, we use a wrapper library
> > bufzip that is the only point in our code that is in directly contact
> > to the zlib.
> > 
> > The crucial point is this: if bufzip calls the misbehaving function in
> > the zlib, it always checks whether the return value is TRUE.  If not,
> > it terminates the process with a message that the compressed data
> > stream is corrupted.
> > 
> > Consequently, every attempt to attack makes the connection collapse
> > with a nasty error, which is exactly what we want if an attack is
> > going on.  No other effects are possible.
> > 
> > I hope that answers your question & concerns. Please feel free to contact
> > me if I can be of any further assistance.
> > 
> > Sincerely,
> > Thi Le
> > Eastern Region Territory Manager
> > SSH Communications Security
> > 
> > 
> > ----- End forwarded message -----
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list