OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1025739 |
|
SecurityTracker URL: http://securitytracker.com/id/1025739
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 30 2011
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Exploit Included: Yes
|
Version(s): 3.5p1
|
Description:
A vulnerability was reported in OpenSSH. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted username value to trigger a buffer overflow in the pam_thread() function and execute arbitrary code on the target system. The code will run with the privileges of the target service (root privileges on FreeBSD).
FreeBSD is affected.
The vulnerability resides in 'src/crypto/openssh/Attic/auth2-pam-freebsd.c'.
The challenge response (ssh version 1) and keyboard interactive via pam (ssh version 2) authentication methods use the affected code.
The vulnerable file does not exist in FreeBSD releases greater than 5.2.1.
The original advisory is available at:
http://packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt
Kingcope reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.openssh.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (FreeBSD)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 30 Jun 2011 20:59:16 +0000
Subject: OpenSSH
|
http://packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt
OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
|
|
