Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Jul 2024 10:56:59 +0000
From: Qualys Security Advisory <>
To: Jacob Bachmeyer <>
CC: "" <>
Subject: Re: CVE-2024-6387: RCE in OpenSSH's server, on
 glibc-based Linux systems

Hi Jacob, all,

On Tue, Jul 02, 2024 at 09:01:48PM -0500, Jacob Bachmeyer wrote:
> A thought occurred to me late last night:  this exploit required the use of
> a very long fake user name (~128KB).

A side note, just in case: only our exploit against Ubuntu 6.06.1 uses a
very long user name; our exploits against Debian 3.0r6 and Debian 12.5.0
simply use "nobody" (but it could be any existing user name).

> If there currently really is no limit at all, outrageously long fake
> usernames (limited only by bandwidth and LoginGraceTime?)

There are various already-existing limits along the way, but the first
one is PACKET_MAX_SIZE, which limits the size of a packet (and hence the
strings it contains) to 256KB (and this is pre-authentication, so no
compression tricks are possible, here).

Thank you very much! With best regards,

the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.