Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2001 23:39:47 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Brett Glass <brett@lariat.org>
Cc:        "f.johan.beisser" <jan@caustic.org>, Mauro Dias <localhost@dsgx.org>, security@FreeBSD.ORG
Subject:   Re: sshd exploit
Message-ID:  <20011128233947.C53604@xor.obsecurity.org>
In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 11:04:02PM -0700
References:  <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help

--DIOMP1UsTsWJauNi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Nov 28, 2001 at 11:04:02PM -0700, Brett Glass wrote:
> At 10:52 PM 11/28/2001, f.johan.beisser wrote:
>=20
> >how long have you known of it? frankly, this is the first i've heard abo=
ut
> >it, let alone the exploit binary.
>=20
> I reposted a report by Dave Dittrich to this list about two weeks ago. CE=
RT
> has also had it on its Web page for a while now. To sum it up in a few
> sentences: Old versions of SSH have been hacked through the SSHv1 protoco=
l,
> and the vulnerable code was adopted by OpenSSH, so older versions of that
> are vulnerable too.
>=20
> My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need=
=20
> some of the special integration that's been done in the Ports Collection,=
=20
> use the latest version that's there (2.9.something the last time I looked=
).
> FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not
> sure just when they fixed the problem).

Not so much with the Flying Fists of Fud, please Brett.  If you'd
actually read the CERT advisory you'd see quite clearly that it was
fixed over a year ago.

Dittrich's analysis also says clearly at the top:

On October 6, 2001, intruders originating from network blocks in the
Netherlands used an exploit for the crc32 compensation attack detector
vulnerability to remotely compromise a Red Hat Linux system on the UW
network running OpenSSH 2.1.1.  This vulnerability is described in
CERT Vulnerability note VU#945216:

i.e. old, old, boring, old.

Kris

--DIOMP1UsTsWJauNi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8BeZDWry0BWjoQKURAix/AKCEIQxXSIYiH2b2QCMTu58swzGxJwCglqvF
X2l1+5yf3FltP7UQgy0C4lE=
=q0F9
-----END PGP SIGNATURE-----

--DIOMP1UsTsWJauNi--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128233947.C53604>