Call for testing: OpenSSH 7.3
C0r3dump3d
coredump at autistici.org
Fri Jul 22 21:40:46 AEST 2016
Hi, I have tried the git version and now it's Ok, no user enumeration
and no DOS!!
If it's possible for the credits of the bug please include my partner
and me:
Andres Rojas -- coredump at autistici.org
Javier Nieto -- jnieton at gmail.com
Thank you very much
El 22/07/16 a las 12:23, Darren Tucker escribió:
> On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <coredump at autistici.org> wrote:
>> but now it's more easy to establish the DOS
>> condition in the access to the Openssh server and exhausting the CPU
>> resources, any dummy user it can be used!
>
> The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
> unfortunately made in the time after the code to cap the password size
> at 1k was committed to OpenBSD
> (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45)
> but before it was synced into -Portable
> (https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97).
> As a result your very large password strings are still making it into
> crypt(3).
>
> Please either grab the code directly from git (you'll need to run
> "autoreconf" yourself) or try tomorrow's snapshot and retest it.
>
More information about the openssh-unix-dev
mailing list