Re: sshd exploit

From: Kris Kennaway (kris@obsecurity.org)
Date: 11/29/01 

Date: Wed, 28 Nov 2001 23:39:47 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Brett Glass <brett@lariat.org>

On Wed, Nov 28, 2001 at 11:04:02PM -0700, Brett Glass wrote:
> At 10:52 PM 11/28/2001, f.johan.beisser wrote:
>
> >how long have you known of it? frankly, this is the first i've heard about
> >it, let alone the exploit binary.
>
> I reposted a report by Dave Dittrich to this list about two weeks ago. CERT
> has also had it on its Web page for a while now. To sum it up in a few
> sentences: Old versions of SSH have been hacked through the SSHv1 protocol,
> and the vulnerable code was adopted by OpenSSH, so older versions of that
> are vulnerable too.
>
> My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need
> some of the special integration that's been done in the Ports Collection,
> use the latest version that's there (2.9.something the last time I looked).
> FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not
> sure just when they fixed the problem).

Not so much with the Flying Fists of Fud, please Brett. If you'd
actually read the CERT advisory you'd see quite clearly that it was
fixed over a year ago.

Dittrich's analysis also says clearly at the top:

On October 6, 2001, intruders originating from network blocks in the
Netherlands used an exploit for the crc32 compensation attack detector
vulnerability to remotely compromise a Red Hat Linux system on the UW
network running OpenSSH 2.1.1. This vulnerability is described in
CERT Vulnerability note VU#945216:

i.e. old, old, boring, old.

Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages