From owner-freebsd-security  Mon Nov  2 17:02:06 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA10206
          for freebsd-security-outgoing; Mon, 2 Nov 1998 17:02:06 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10201
          for <FreeBSD-security@FreeBSD.ORG>; Mon, 2 Nov 1998 17:02:04 -0800 (PST)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.6) id SAA00776;
	Mon, 2 Nov 1998 18:01:30 -0700 (MST)
Message-Id: <4.1.19981102180015.046c7490@127.0.0.1>
X-Sender: brett@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Mon, 02 Nov 1998 18:01:23 -0700
To: andrew@squiz.co.nz, Warner Losh <imp@village.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: [rootshell] Security Bulletin #25 (fwd) 
Cc: bow <bow@bow.net>, FreeBSD-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.01.9811031239510.8161-100000@aniwa.sky>
References: <199811022237.PAA16222@harmony.village.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:47 PM 11/3/98 +1300, Andrew McNaughton wrote:
 
>I had a brief look over the ssh code some months ago.  I didn't find
>anything exploitable, but I did find things that made me uncomfortable,
>like the logging routine that uses vsprintf (or something similarly
>lacking in bounds checking) and expected all the places it was checked to
>do the bounds checking.  

Watch out for logging routines. When some folks got into our system via
the Qpopper exploit, the long messages sent by QPopper crashed syslogd.
This might be an avenue for a hack.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message