this post was submitted on 01 Jul 2024
31 points (97.0% liked)

Security

633 readers
2 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Regression in signal handler.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges.

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 4 months ago (1 children)

8.5p1 <= OpenSSH < 9.8p1 is vulnerable

[–] [email protected] -1 points 4 months ago (1 children)

what does that mean? I don't understand multiple signs in the same sentence and what is the significance of having "OpenSSH" in the middle?

[–] [email protected] 3 points 4 months ago (1 children)

You can read them as separate statements with the middle repeated and a logical AND between them:

If (8.5p1 <= your OpenSSH version) AND (your OpenSSH version < 9.8p1) Then you are vulnerable

It’s the same as saying if your OpenSSH version is between these two versions (including 8.5p1, but not 9.8p1), then you are vulnerable

[–] [email protected] -1 points 4 months ago (2 children)

I don't get it... wouldn't everything < 9.8p1 already include <= 8.5p1? So why is it even necessary to mention?

[–] [email protected] 4 points 4 months ago

Because this is a regression and this particular issue was introduced in 8.5p1. So it only affects versions newer than that, up until when it was fixed in 9.8p1.

[–] [email protected] 1 points 4 months ago (1 children)

For an integer, 4 < x < 6 x has to be 5. It's the only value that satisfies all sides of the equation.
You are deriving a set of values for open ssh that satisfies all sides of the equation.

I think it's more of a mathematical representation than programming representation (I mean, I don't know of a language that would accept that syntax).
Certainly psuedocode would have quick statements like this

[–] [email protected] 2 points 4 months ago (1 children)

seems to work fine in C and I can find quite a bit of examples of it being used actually

[–] [email protected] 1 points 4 months ago

Oh, I can't find any examples. What are you searching for?
The closest I can find is an old hlsl offhand comment showing the syntax in isolation, but no example.
https://stackoverflow.com/a/29689866