Date: Wed, 4 Nov 1998 10:31:54 -0500 (EST) From: Barrett Richardson <brich@aye.net> To: spork <spork@super-g.com> Cc: Andrew McNaughton <andrew@squiz.co.nz>, Warner Losh <imp@village.org>, bow <bow@bow.net>, FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) Message-ID: <Pine.BSF.3.96.981104093724.8513B-100000@phoenix.aye.net> In-Reply-To: <Pine.BSF.4.00.9811032233120.12762-100000@super-g.inch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I also contacted him and urged him to release the code to the appropriate authorities, maybe he'll give in. I recently got the stackguard compiler http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ up and going on my 2.2.7 box. I had high hopes that some definitive info of the SSH exploit would surface so I could test it against something real. - Barrett On Tue, 3 Nov 1998, spork wrote: > Sorry to bring this up again, but someone has posted on BugTraq stating > they found a copy of an exploit for sshd (remote root). He claims to have > tried it on his own machines with success. > > I know this could be entirely fake, but who really knows... > > I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, > etc. and provide the code to them. I also requested more info about his > OS and version, whether the patches that were supplied protected him, and > which auth methods are allowed in his sshd_config. > > Sorry to bring this up again, but I thought perhaps the paranoid might be > interested... > > Thanks, > > Charles > > --- > Charles Sprickman > spork@super-g.com > > On Tue, 3 Nov 1998, Andrew McNaughton wrote: > > > On Mon, 2 Nov 1998, Warner Losh wrote: > > > > > Just so everyone knows, this advisory was only a draft advisory and > > > was cancelled over the weekend. I saw the original advisory and > > > checked stuff in based on it, since generally changes like this are > > > good and can't hurt anything. After I checked in the fixes to ssh, I > > > discovered that it had been determined that there was no way of > > > exploiting this buffer call because all the places that called it had > > > bounds checking. > > > > I had a brief look over the ssh code some months ago. I didn't find > > anything exploitable, but I did find things that made me uncomfortable, > > like the logging routine that uses vsprintf (or something similarly > > lacking in bounds checking) and expected all the places it was checked to > > do the bounds checking. > > > > As far as I looked, they pretty much did, though in one place I noted that > > it was dependent on the length of a domain name returned from a reverse > > lookup. > > > > Andrew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981104093724.8513B-100000>