FYI, upgrade/patch now if you haven't already. Cheers, Marty > -----Original Message----- > From: InfoSec News [SMTP:[EMAIL PROTECTED]] > Sent: Wednesday, February 21, 2001 8:34 PM > To: [EMAIL PROTECTED] > Subject: [ISN] SSH remote root exploit was released > > ---------- Forwarded message ---------- > Date: Tue, 20 Feb 2001 11:48:39 -0800 (PST) > From: Tom Perrine <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED], Pat Wilson <[EMAIL PROTECTED]>, > Brian Kantor <[EMAIL PROTECTED]> > Subject: SSH remote root exploit was released > > -----BEGIN PGP SIGNED MESSAGE----- > > A claimed exploit for the long-rumored SSHD remote root exploit was > released on BUGTRAQ about an hour ago. This is the bug in deattack.c > that allowed a 16-bit numeric overflow :-) (Nobody could do anything > with 16 bits, could they? :-( ) > > There is followup dicussion that seems to indicate that this is a real > exploit. > > This was originally reported through various channels about 6-7 Feb, > and showed up on BUGTRAQ 8 Feb. > > There is a claim that Earthlink was "seriously compromised", possibly > via this exploit. See http://www.cotse.com/2152001.html for details > (This was reported on ISN this morning.) > > Try this URL for the BUGTRAQ summary: > http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2347 > > BUGTRAQ claims that all these are vulnerable: > > OpenSSH OpenSSH 2.2 > OpenSSH OpenSSH 2.1.1 > OpenSSH OpenSSH 2.1 > OpenSSH OpenSSH 1.2.3 > OpenSSH OpenSSH 1.2.2 > SSH Communications SSH 1.2.31 > SSH Communications SSH 1.2.30 > SSH Communications SSH 1.2.29 > SSH Communications SSH 1.2.28 > SSH Communications SSH 1.2.27 > SSH Communications SSH 1.2.26 > SSH Communications SSH 1.2.25 > SSH Communications SSH 1.2.24 > > For SSH-1.2.27, the patch is in deattack.c: > > *** deattack.c.orig Wed Feb 14 15:59:25 2001 > - --- deattack.c Wed Feb 14 15:59:45 2001 > *************** > *** 79,85 **** > detect_attack(unsigned char *buf, word32 len, unsigned char *IV) > { > static word16 *h = (word16 *) NULL; > ! static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE; > register word32 i, j; > word32 l; > register unsigned char *c; > - --- 79,85 ---- > detect_attack(unsigned char *buf, word32 len, unsigned char *IV) > { > static word16 *h = (word16 *) NULL; > ! static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE; > register word32 i, j; > word32 l; > register unsigned char *c; > > Your mileage may vary. For repairs/workarounds other versions of SSH, > check the BUGTRAQ notice. > > "Patch early, patch often." > > - --tep > > - -- > Tom E. Perrine ([EMAIL PROTECTED]) | San Diego Supercomputer Center > http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000 > "Libertarianism is what your mom taught you: 'Behave yourself > and don't hit your sister."' - Kenneth Bisson of Angola, Ind. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface > > iQCVAwUBOpLJ/BTSxpWcaAFRAQGBxAQAjpA2Tn/eu+ssKPwSoEIk44KBmBfHMGYj > Ka6oFafJglVZhGmZ0O/6foepzEoREf6yEl5tOaGj/Kf8aLHcuBTSzkevQHGfGaZh > 941Da0WT3XSAS8Qk6F0jTxxOD2bG/3bPUGfIxMkQpkJmN/DXxWOd0G+T9dzl1tGB > e5F4Vo5/eZA= > =5n69 > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------- > The above message comes from the sdriw-announcements mailing list. > To stop receiving these mailings, send email to [EMAIL PROTECTED] > with the line "unsubscribe sdriw-announcements" as the first line > of the message. > ------------------------------------------------------------------- > > ISN is hosted by SecurityFocus.com > --- > To unsubscribe email [EMAIL PROTECTED] with a message body of > "SIGNOFF ISN". -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
