Project

General

Profile

Actions

Security #2944

closed

ssh: heap buffer overflow (master)

Added by Victor Julien over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

76cc03010adfb1441d883c947888ea4ed58fb691

Severity:
Disclosure Date:

Description

### Bugreport SSHParseBanner (app-layer-ssh.c)
There is an integer and as a result a heap buffer overflow at line 99.
## Input
If *input of the function *SSHParseBanner(SshState *state, SshHeader *header, const uint8_t *input, uint32_t
input_len)* only consists only one spezial character **'\n'**, the program runs
into a heap buffer overfow.
## Reason
At **line 76** in the function *SSHParseBanner*, the program search for a “'\r'”.
If not, then match the input with a “'\n'”.
After this point line_len is “0”. And this is the problem.
At line 97, we subtract “-4” from line_len and we get a negativ integer.
Unfortunatly, input_len is an unsigned integer and smaall negativ integers are now very big unsigned integers.
The result is, that the **input_len** is much higher then the given buffer.
The function *BasicSearch* needs the length and will crash by of reading to much memory space
because of the high input_len value.
This results in a heap-buffer-overflow.

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2883: ssh: heap buffer overflowClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 5 years ago

Actions #2

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Private changed from Yes to No
Actions #3

Updated by Victor Julien about 4 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2019-10053
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF