From owner-freebsd-security Wed Nov 28 23:36:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 7882037B405 for ; Wed, 28 Nov 2001 23:36:25 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2683266B27; Wed, 28 Nov 2001 23:36:25 -0800 (PST) Date: Wed, 28 Nov 2001 23:36:25 -0800 From: Kris Kennaway To: Brett Glass Cc: Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011128233625.B53604@xor.obsecurity.org> References: <009501c17893$b99415a0$0200a8c0@mdrjr.net> <4.3.2.7.2.20011128221259.04665720@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011128221259.04665720@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 10:18:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 10:18:29PM -0700, Brett Glass wrote: > At 10:07 PM 11/28/2001, Mauro Dias wrote: > =20 > >I readed the message about the sshd exploit > >i have a binary copy of this exploit. > >it's exploits ssh versions: > >ssh-1.2.26 > >ssh-1.2.27 > >OpenSSH-2.2.0p1 >=20 > I wonder if this is the same exploit mentioned by Dittrich and CERT -- > the CRC32 compensation attack detector overflow in SSH1. No, this one was fixed way back in 2.3.0, the version after 2.2.0p1 (notice the strange similarity with version numbers above). ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc --- An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. --- > If so, you can probably patch the hole temporarily by disabling=20 > version 1 of the protocol. You can then upgrade to eliminate the hole. > 3.0.1p1 is said to be immune. It's what I've run ever since I first heard= =20 > about the vulnerability. I think there's terrible confusion here about the problem; the old 2.2.0 vulnerability was discussed again recently by Dittrich, which seems to have confused a lot of people into thinking it's a new vulnerability. The rumours which are currently rampant of an actual new exploit have yet to be confirmed, AFAIK. Kris --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BeV4Wry0BWjoQKURAl3iAKDHTb7ELB3N9cIrKxn2SERq7qlvJgCgz6yh APxhlhcpD6+j9ZZWjdrz5Fk= =Wy2u -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message