Home / vulnerabilitiesPDF  

pragmassh-adv.txt

Posted on 05 January 2008
Source : packetstormsecurity.org Link

 

#######################################################################

Luigi Auriemma

Application: Pragma FortressSSH
http://www.pragmasys.com/FortressSSHServer.asp
Versions: <= 5.0 Build 4 Revision 293
Platforms: Windows
Bug: Denial of Service
Exploitation: remote
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Pragma FortressSSH is a commercial SSH server for Windows.


#######################################################################

======
2) Bug
======


The server, which starts a sshd.exe process for each incoming
connection, uses the secure *_s functions of msvcrt for working on the
incoming strings.
This method allows the avoiding of buffer-overflow vulnerabilities but
the process terminates and shows a message error if an exception
occurs.

An example is the using of a list of keys longer than 4096 which will
raise the exception in vsprintf_s during the building of the formatted
string, while another example is using a long username.

Although the termination of a single process doesn't affect the others,
the access to the server can be denied through the termination of at
least 75 of these processes, after that the server will be unreachable
(all the current SSH connections established before the last exception
will remain up).

This bad effect will finish gradually when the admin clicks on the
error messages (for example if he closes the first dialogbox a new
connection to the server will be possible) but naturally the attacker
can continue the attack keeping the server ever unreacheable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/pragmassh.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################

 

TOP