[antocv]

Linux by default doesnt do randomization features, at least not ArchLinux - the most security aware distro (sarcasm). Ubuntu doesnt do that either.

What do you mean by memory management access control?

As ssh contains or references code to open/read/write sockets, thats what I would do - return oriented programming or whatever its called - to use the functions already defined/within scope and memory, to open a reverse shell.

[pattt]

"This vulnerability is mitigated by the difficulty of pre-loading the heap with a useful callback address and by any platform address-space layout randomisation applied to sshd and the shared libraries it depends upon."

Right. But in order for RoP explotation (say chain some libc function calls) to work you'd still have to manipulate the stack arguments in some fancy way, also it's not really sure how trivial is "pre-loading the heap" since it's a post-authentication stage bug as the advisory mentions. Of course these are just speculation, digging into the source code might change perspective :)

[antocv]

Yes it is quite comforting this is post-authentication, so in most cases no big deal. Just tough luck for shared accounts.

I guess most people dont run sshd as root and capabilities either so that minimizes damage too. Another reason to not run ssh on port 22, no root, no special caps needed.

[Nick_C]

All my servers run sshd as root, including the FreeBSD ones. Is that ok? Or do you mean that sshd drops privileges for the child after forking?

[utnick]

Looks like Ubuntu by default has randomization via ASLR and other protections as well.

https://wiki.ubuntu.com/Security/Features

[Danieru]

We ran into this exact issue in my virus class. The lab machines running Scientific Linux would not randomize the library addresses despite ASLR being on. In contrast Ubuntu not only did the proper layout randomization but also had gcc compile with stack smash protection by default.