From owner-freebsd-security Mon Jan 6 13:36:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 210BC37B401 for ; Mon, 6 Jan 2003 13:36:37 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E26043EA9 for ; Mon, 6 Jan 2003 13:36:36 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id h06LaUDD057295; Mon, 6 Jan 2003 16:36:30 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h06LclHY088602; Mon, 6 Jan 2003 16:38:48 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030106163804.04630960@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 06 Jan 2003 16:39:29 -0500 To: Darren Pilgrim From: Mike Tancsa Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Cc: freebsd-security@freebsd.org In-Reply-To: <3E19F4B0.3090903@pantherdragon.org> References: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, it does look a bit odd. There was another posting on bugtraq that says, -----------------begin quote As some may have gathered, the advisory recently posted by mmhs@hushmail.com was indeed a fake, intended to highlight several unclear statements made in GIS2002062801. The advisory in question is currently being updated with more detailed information and will be re-posted at: http://www.globalintersec.com/adv/openssh-2002062801.txt as soon as it becomes available. Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab although not all evidence to demonstrate this was provided in the original advisory. A mistake was made in the original advisory draft, where chunk content data was shown, rather than the entire corrupted malloc chunk. This will be amended in the revision. Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1, due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through miss-information. Global InterSec LLC. ------------------------------end quote-------------- At 01:27 PM 06/01/2003 -0800, Darren Pilgrim wrote: >Mike Tancsa wrote: >>FYI, for those not on bugtraq. > >The "advisory" is suspect. > >1) The language used in the non-technical parts of the message are >immature, detracting from the credibility of the author. > >2) Most ssh clients sends your logged-in username by default if you don't >specify one using the form "user@" on the command line. My PAM-disabled >versions of OpenSSH do this. For a group that supposedly spent six months >researching OpenSSH, you'd think they'd have noticed. > >>>Date: Sat, 4 Jan 2003 19:37:03 -0800 >>>To: bugtraq@securityfocus.com >>>Subject: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS >>>From: mmhs@hushmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message