From owner-freebsd-security Thu Nov 29 11:34:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 64A1137B419 for ; Thu, 29 Nov 2001 11:34:47 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id 8DEC62F; Thu, 29 Nov 2001 13:34:46 -0600 (CST) Date: Thu, 29 Nov 2001 13:34:46 -0600 From: "Jacques A. Vidrine" To: Brett Glass Cc: Kris Kennaway , "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011129133446.A23161@hellblazer.nectar.com> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote: > As Security Officer, have you run the exploit against 4.4-RELEASE to > see how it behaves and if 4.4-RELEASE is immune? As a member of the FreeBSD Security Officer team, I have worked with both the TESO and x2 exploits. Neither work against any version of OpenSSH later than 2.2.0, which includes 4.4-RELEASE. Both programs attack the CRC detector. This doesn't prove that there is not yet another exploit program that does, but so far we have only rumours. > This is important, since > without a disassembly we do not know whether the exploit attacks this > vulnerability or a different (possibly related?) one. Who says we don't have a disassembly? Anyway, one doesn't need one to determine what the exploit does when run, or how it affects arbitrary versions of OpenSSH. > We also do not know > if the claimed fix was fully effective against all possible exploits. We can never know that about this fix or any other, of course. -- Jacques A. Vidrine http://www.nectar.com/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message