2003-09-19T18:48:24 KF: > Well I messed with it a bit more and it seems to consistantly crash in the > following areas... Sorry for not following up sooner and saving you some effort; the author has analyzed this one, posted a patch to lsh-bugs, and is working on new releases that include the patch. I attach the email that went to lsh-bugs. Short version: simple, one line patch, _urgently_ needs to be applied by all users of lsh. -Bennett
--- Begin Message ---
- To: lsh-bugs@xxxxxxxxxxxxxxxxxxxx
- Subject: lshd buffer overrun. Possibly remote root compromise.
- From: nisse@xxxxxxxxxxxxxx (Niels Möller)
- Date: 18 Sep 2003 22:29:03 +0200
Summary: PLEASE DISABLE LSHD SERVICE. Apply below patch. Simon Josefsson <jas@xxxxxxxxxxx> writes: > FWIW, I can reproduce it: > > lshd: write_buffer: do_write length = 256 > lshd: write_buffer: do_write closure->length = 293 > lshd: garbage collecting... > lshd: gc_mark: Memory corrupted! > Aborted > > I think it has nothing to do with the actual bits sent, but rather > that some earlier random data caused the code to take a rarely tested > execution path, which has garbage collect bugs in it, which is > discovered a while later. I'm afraid it's worse than that. It seems to be a genuine buffer overrun, on the heap. It's the buffer in read_line.c, /* GABA: (class (name read_line) (super read_handler) (vars (handler object line_handler) (e object exception_handler) ; Line buffer (pos . uint32_t) (buffer array uint8_t MAX_LINE))) */ The below patch should fix the bug. It's a case of checking for an error, reporting it, and then forgetting to return from the function. Instead the code just went on overwriting the buffer. Pretty embarrassing. diff -u -a -r1.31 read_line.c --- src/read_line.c 16 Feb 2003 21:30:11 -0000 1.31 +++ src/read_line.c 18 Sep 2003 20:02:48 -0000 @@ -100,6 +100,7 @@ /* Too long line */ EXCEPTION_RAISE(self->e, make_protocol_exception(0, "Line too long.")); + return available; } /* Ok, now we have a line. Copy it into the buffer. */ The buggy code was checked in a little more than four years ago, 1999-08-22, at about this time of day. I'm *not* going to bet that it isn't exploitable. I'll try to get new releases out within a few days, until then, I recommend that you apply the above patch to lshd and recompile, or disable lshd service. Thanks to Bennett Todd for reporting the problem. Sorry about the trouble. Regards, /Niels
--- End Message ---
Attachment:
pgp00051.pgp
Description: PGP signature