From owner-freebsd-security Wed Nov 4 07:40:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA12455 for freebsd-security-outgoing; Wed, 4 Nov 1998 07:40:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA12445 for ; Wed, 4 Nov 1998 07:40:07 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 25203 invoked by uid 7506); 4 Nov 1998 15:31:54 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Nov 1998 15:31:54 -0000 Date: Wed, 4 Nov 1998 10:31:54 -0500 (EST) From: Barrett Richardson To: spork cc: Andrew McNaughton , Warner Losh , bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also contacted him and urged him to release the code to the appropriate authorities, maybe he'll give in. I recently got the stackguard compiler http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ up and going on my 2.2.7 box. I had high hopes that some definitive info of the SSH exploit would surface so I could test it against something real. - Barrett On Tue, 3 Nov 1998, spork wrote: > Sorry to bring this up again, but someone has posted on BugTraq stating > they found a copy of an exploit for sshd (remote root). He claims to have > tried it on his own machines with success. > > I know this could be entirely fake, but who really knows... > > I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, > etc. and provide the code to them. I also requested more info about his > OS and version, whether the patches that were supplied protected him, and > which auth methods are allowed in his sshd_config. > > Sorry to bring this up again, but I thought perhaps the paranoid might be > interested... > > Thanks, > > Charles > > --- > Charles Sprickman > spork@super-g.com > > On Tue, 3 Nov 1998, Andrew McNaughton wrote: > > > On Mon, 2 Nov 1998, Warner Losh wrote: > > > > > Just so everyone knows, this advisory was only a draft advisory and > > > was cancelled over the weekend. I saw the original advisory and > > > checked stuff in based on it, since generally changes like this are > > > good and can't hurt anything. After I checked in the fixes to ssh, I > > > discovered that it had been determined that there was no way of > > > exploiting this buffer call because all the places that called it had > > > bounds checking. > > > > I had a brief look over the ssh code some months ago. I didn't find > > anything exploitable, but I did find things that made me uncomfortable, > > like the logging routine that uses vsprintf (or something similarly > > lacking in bounds checking) and expected all the places it was checked to > > do the bounds checking. > > > > As far as I looked, they pretty much did, though in one place I noted that > > it was dependent on the length of a domain name returned from a reverse > > lookup. > > > > Andrew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message