Date: Wed, 28 Nov 2001 23:36:25 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Brett Glass <brett@lariat.org> Cc: Mauro Dias <localhost@dsgx.org>, security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011128233625.B53604@xor.obsecurity.org> In-Reply-To: <4.3.2.7.2.20011128221259.04665720@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 10:18:29PM -0700 References: <009501c17893$b99415a0$0200a8c0@mdrjr.net> <4.3.2.7.2.20011128221259.04665720@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 10:18:29PM -0700, Brett Glass wrote: > At 10:07 PM 11/28/2001, Mauro Dias wrote: > =20 > >I readed the message about the sshd exploit > >i have a binary copy of this exploit. > >it's exploits ssh versions: > >ssh-1.2.26 > >ssh-1.2.27 > >OpenSSH-2.2.0p1 >=20 > I wonder if this is the same exploit mentioned by Dittrich and CERT -- > the CRC32 compensation attack detector overflow in SSH1. No, this one was fixed way back in 2.3.0, the version after 2.2.0p1 (notice the strange similarity with version numbers above). ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc --- An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. --- > If so, you can probably patch the hole temporarily by disabling=20 > version 1 of the protocol. You can then upgrade to eliminate the hole. > 3.0.1p1 is said to be immune. It's what I've run ever since I first heard= =20 > about the vulnerability. I think there's terrible confusion here about the problem; the old 2.2.0 vulnerability was discussed again recently by Dittrich, which seems to have confused a lot of people into thinking it's a new vulnerability. The rumours which are currently rampant of an actual new exploit have yet to be confirmed, AFAIK. Kris --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BeV4Wry0BWjoQKURAl3iAKDHTb7ELB3N9cIrKxn2SERq7qlvJgCgz6yh APxhlhcpD6+j9ZZWjdrz5Fk= =Wy2u -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128233625.B53604>