From owner-freebsd-security Tue Nov 3 19:41:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA07283 for freebsd-security-outgoing; Tue, 3 Nov 1998 19:41:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA07278 for ; Tue, 3 Nov 1998 19:41:48 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id WAA12772; Tue, 3 Nov 1998 22:36:35 -0500 (EST) Date: Tue, 3 Nov 1998 22:36:35 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Andrew McNaughton cc: Warner Losh , bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry to bring this up again, but someone has posted on BugTraq stating they found a copy of an exploit for sshd (remote root). He claims to have tried it on his own machines with success. I know this could be entirely fake, but who really knows... I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, etc. and provide the code to them. I also requested more info about his OS and version, whether the patches that were supplied protected him, and which auth methods are allowed in his sshd_config. Sorry to bring this up again, but I thought perhaps the paranoid might be interested... Thanks, Charles --- Charles Sprickman spork@super-g.com On Tue, 3 Nov 1998, Andrew McNaughton wrote: > On Mon, 2 Nov 1998, Warner Losh wrote: > > > Just so everyone knows, this advisory was only a draft advisory and > > was cancelled over the weekend. I saw the original advisory and > > checked stuff in based on it, since generally changes like this are > > good and can't hurt anything. After I checked in the fixes to ssh, I > > discovered that it had been determined that there was no way of > > exploiting this buffer call because all the places that called it had > > bounds checking. > > I had a brief look over the ssh code some months ago. I didn't find > anything exploitable, but I did find things that made me uncomfortable, > like the logging routine that uses vsprintf (or something similarly > lacking in bounds checking) and expected all the places it was checked to > do the bounds checking. > > As far as I looked, they pretty much did, though in one place I noted that > it was dependent on the length of a domain name returned from a reverse > lookup. > > Andrew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message