Notes on the SSH3.7 buffer error bugfix Responding to A comment by Berend Engelbrecht

MS: ... two that could allow arbitrary code execution and one that could result in a denial of service.
BSD: which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code.
Berend: I must admit immediately that the Microsoft warning is more grave in tone, they do not attempt at all to play down the bugs that were found,

MS's warnings may not attempt to play down the bugs, but the SSH bugs are definitely being played up. The MS bug is apparently known to allow the insertion of arbitrary code. The SSH code, on the other hand allows a block of data to be overwritten with zeros. The comment from within the SSH developers community is "In Theory this might be usable to allow random code to be executed, but we really don't have any idea how.

This was followed by one person posting a frenetic email saying that random (unidentified) persons had claimed that they had seen signs of an attack in the wild. This claim is (AFIK) unverified, but is being used as the basis of hysteric reports.

Microsoft cannot downplay the seriousness of their bugs because they know that it is exploitable and they know the deep sh!t that they got in for trying to downplay previous bugs of this seriousness. With the SSH community, on the other hand, the entire source code is available, and people can see the bug, the fix, and gauge the seriousness of the error themselves (if they're willing to look).

I've modified the patch slightly (to make the change more readable) and placed it on my site. The result of my change would be the same final code, it's just the patch itself that's more readable.

As far as I know, nobody in the SSH community has come up with a reasonable idea for how to exploit the bug for anything more than a DOS (i.e. crashing SSHD) -- apparently, the problem being remedied would have resulted in ssh aborting, anyways... the only difference is that the patch allows ssh to shut down cleanly, while the bug resulted in an exception before the shutdown could complete.

On most versions of *nix, recent versions of SSH use a process known as privilege separation. This means that the daemon affected by this bug isn't even running as root on those systems, so even if someone did manage to execute arbitrary code, there's still another barrier left before a remote root prompt is available.

Stephen Samuel
Sept 18, 2003