Re: OpenSSH Vulns (new?) Priv seperation

From: John Madden (maddenj@skynet.ie)
Date: 06/26/02


Date: Wed, 26 Jun 2002 21:02:02 +0100
From: John Madden <maddenj@skynet.ie>
To: vuln-dev@securityfocus.com

This was posted to Bugtraq earlier today.

http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0

It's the ISS disclosure of the bug. I've read a few more mails about the
privsep issue and there's very mixed feelings about it. I have it
running with compression turned off on a debian server with kernel
2.2.20 since yesterday morning without any trouble. However, I also came
across a mail on the proftpd list (I think) where someone claimed to
have a root exploit already with this enabled.

Basically, enabling privsep in the config limits the danger of the bug,
but doesn't fix it. If exploited successfully, the attacker will get a
shell which is chrooted and only gives sshd account.

-- 
Chat ya later,

John. -- BOFH excuse #51: Cosmic ray particles crashed through the hard disk platter