Re: sshd exploit

From: Kris Kennaway (kris@obsecurity.org)
Date: 11/29/01

Next message: Kris Kennaway: "Re: sshd exploit"
Previous message: Mike Silbersack: "Re: sshd exploit"
In reply to: Brett Glass: "Re: sshd exploit"
Next in thread: Brett Glass: "Re: sshd exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 Nov 2001 23:36:25 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Brett Glass <brett@lariat.org>

On Wed, Nov 28, 2001 at 10:18:29PM -0700, Brett Glass wrote:
> At 10:07 PM 11/28/2001, Mauro Dias wrote:
>
> >I readed the message about the sshd exploit
> >i have a binary copy of this exploit.
> >it's exploits ssh versions:
> >ssh-1.2.26
> >ssh-1.2.27
> >OpenSSH-2.2.0p1
>
> I wonder if this is the same exploit mentioned by Dittrich and CERT --
> the CRC32 compensation attack detector overflow in SSH1.

No, this one was fixed way back in 2.3.0, the version after 2.2.0p1
(notice the strange similarity with version numbers above).

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc

---
An integer overflow may allow arbitrary remote users to obtain root
permissions on the server running sshd.  This is due to a coding
mistake in code intended to work around a protocol flaw in the SSH1
protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was
committed to FreeBSD 4.2-STABLE on 2000-12-05.
---
> If so, you can probably patch the hole temporarily by disabling 
> version 1 of the protocol. You can then upgrade to eliminate the hole.
> 3.0.1p1 is said to be immune. It's what I've run ever since I first heard 
> about the vulnerability.
I think there's terrible confusion here about the problem; the old
2.2.0 vulnerability was discussed again recently by Dittrich, which
seems to have confused a lot of people into thinking it's a new
vulnerability.  The rumours which are currently rampant of an actual
new exploit have yet to be confirmed, AFAIK.
Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

application/pgp-signature attachment: stored

Next message: Kris Kennaway: "Re: sshd exploit"
Previous message: Mike Silbersack: "Re: sshd exploit"
In reply to: Brett Glass: "Re: sshd exploit"
Next in thread: Brett Glass: "Re: sshd exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: [fw-wiz] Firewalls Compared
... > I'm trying to reconcile "know what the vulnerability looks ... For example if we know from the protocol rules that we're ... signatures that just dump any packet with %n%n or %x or whatever. ... Firewalls MUST be in a default DENY mode." ...
(Firewall-Wizards)
RE: ids inquisition
... Well, I also fully believe that BOTH protocol analysis, AND pattern ... Dozens of IDS companies out there are merketing millions of dollars ... One signature for ANY buffer overflow, ... > we just knew that this would likely be a vulnerability. ...
(Focus-IDS)
Re: ssh configuration problem
... Run sshd with debug option, ... mc> Protocol 2 ... mc> # To disable tunneled clear text passwords, ... mc> # Kerberos TGT Passing only works with the AFS kaserver ...
(SSH)
Re: [Full-Disclosure] Re: Automated SSH login attempts?
... >> some vulnerability in the sshd, and just tries to look harmless by using ... >> The compromised machine was running an old debian woody installation ...
(Full-Disclosure)
SSHD
... i'm having 'strange' problem with my sshd. ... # HostKeys for protocol version 2 ... # To enable empty passwords, ... # Kerberos TGT Passing does only work with the AFS kaserver ...
(Debian-User)