Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Nov 1998 22:36:35 -0500 (EST)
From:      spork <spork@super-g.com>
To:        Andrew McNaughton <andrew@squiz.co.nz>
Cc:        Warner Losh <imp@village.org>, bow <bow@bow.net>, FreeBSD-security@FreeBSD.ORG
Subject:   Re: [rootshell] Security Bulletin #25 (fwd) 
Message-ID:  <Pine.BSF.4.00.9811032233120.12762-100000@super-g.inch.com>
In-Reply-To: <Pine.BSF.4.01.9811031239510.8161-100000@aniwa.sky>

next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to bring this up again, but someone has posted on BugTraq stating
they found a copy of an exploit for sshd (remote root).  He claims to have
tried it on his own machines with success.

I know this could be entirely fake, but who really knows...

I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS,
etc. and provide the code to them.  I also requested more info about his
OS and version, whether the patches that were supplied protected him, and
which auth methods are allowed in his sshd_config.

Sorry to bring this up again, but I thought perhaps the paranoid might be
interested...

Thanks,

Charles

---
Charles Sprickman
spork@super-g.com

On Tue, 3 Nov 1998, Andrew McNaughton wrote:

> On Mon, 2 Nov 1998, Warner Losh wrote:
> 
> > Just so everyone knows, this advisory was only a draft advisory and
> > was cancelled over the weekend.  I saw the original advisory and
> > checked stuff in based on it, since generally changes like this are
> > good and can't hurt anything.  After I checked in the fixes to ssh, I
> > discovered that it had been determined that there was no way of
> > exploiting this buffer call because all the places that called it had
> > bounds checking.
> 
> I had a brief look over the ssh code some months ago.  I didn't find
> anything exploitable, but I did find things that made me uncomfortable,
> like the logging routine that uses vsprintf (or something similarly
> lacking in bounds checking) and expected all the places it was checked to
> do the bounds checking.  
> 
> As far as I looked, they pretty much did, though in one place I noted that
> it was dependent on the length of a domain name returned from a reverse
> lookup.
> 
> Andrew
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9811032233120.12762-100000>