Date: Tue, 3 Nov 1998 22:36:35 -0500 (EST) From: spork <spork@super-g.com> To: Andrew McNaughton <andrew@squiz.co.nz> Cc: Warner Losh <imp@village.org>, bow <bow@bow.net>, FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) Message-ID: <Pine.BSF.4.00.9811032233120.12762-100000@super-g.inch.com> In-Reply-To: <Pine.BSF.4.01.9811031239510.8161-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to bring this up again, but someone has posted on BugTraq stating they found a copy of an exploit for sshd (remote root). He claims to have tried it on his own machines with success. I know this could be entirely fake, but who really knows... I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, etc. and provide the code to them. I also requested more info about his OS and version, whether the patches that were supplied protected him, and which auth methods are allowed in his sshd_config. Sorry to bring this up again, but I thought perhaps the paranoid might be interested... Thanks, Charles --- Charles Sprickman spork@super-g.com On Tue, 3 Nov 1998, Andrew McNaughton wrote: > On Mon, 2 Nov 1998, Warner Losh wrote: > > > Just so everyone knows, this advisory was only a draft advisory and > > was cancelled over the weekend. I saw the original advisory and > > checked stuff in based on it, since generally changes like this are > > good and can't hurt anything. After I checked in the fixes to ssh, I > > discovered that it had been determined that there was no way of > > exploiting this buffer call because all the places that called it had > > bounds checking. > > I had a brief look over the ssh code some months ago. I didn't find > anything exploitable, but I did find things that made me uncomfortable, > like the logging routine that uses vsprintf (or something similarly > lacking in bounds checking) and expected all the places it was checked to > do the bounds checking. > > As far as I looked, they pretty much did, though in one place I noted that > it was dependent on the length of a domain name returned from a reverse > lookup. > > Andrew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9811032233120.12762-100000>