OpenBSD Journal

y OpenSSH Exploit

Contributed by jose on from the cvs-up-&&-make-build dept.

Similar to their Apache exploit , the Gobbles group have released a proof of concept exploit for OpenSSH . This one targets the challenge-response vulnerability in OpenSSH prior to 3.4.

If you haven't upgraded, now's probably when you should schedule some time to do this right away.

(Comments are closed)

  1. By RC () on

    Why upgrade? Disable S/Key (ChallengeResponse) and you're perfectly safe.

    If you ask me, S/Key auth shouldn't have been enabled in OpenBSD by default. Remember all that stuff on the OpenBSD web page that say's they shut off unnecessary services? Wouldn't it be nice if it were true?



    1. By lt () on

      Yes it would be nice if it were true. I'm pretty disappointed that OpenBSD enables S/Key, RPC and talkd by default actually.

      1. By skull () on

        s/key rocks

        1. By RC () on

          You're right, S/Key is very nice, but most people NEVER use it. While it may be nice for those of us who use untrusted systems, most people that use OpenSSH don't use S/Key with it. For those few who need it, enable it. Isn't that the whole idea behind OpenBSD?

      2. By Miod Vallat () on

        I wonder where you found out that RPC and talkd were enabled by default. It was supposed to be hidden backdoors!

    2. By Not Really Anonymous () on

      The problem is, the vulnerability still exists and should be patched. The fix to a vulnerability shouldn't be, "just turn off the service".

      I would rather use the provided patch instead of hoping that the S/Key auth is never enabled again for some mystical magical reason.

  2. By Anonymous Coward () on

    Is it just me or does GOBBLES really have it in for Theo.

    Guess that means Theo's doing something right :).

    1. By skull () on

      OpenBSD != Theo, and if anything maybe this will give OpenBSD a little more publicity. And it will most likely demonstrate what is assumed: obsd users are more security conscious and on top of patches and security notices than other users.

      If anything we should thank "GOBBLES" for keeping the OPENBSD /development team/ and /community/ on their collective toes.

      "If GOBBLES didn't exist, it would be necessary to invent him."

      1. By Lars Hansson () on

        Sure, they're doing some good work but it would be even better if they didnt appear to be complete crackheads. The IT security industry is a big enough joke already...

  3. By methodic () on

    wc -l of GOBBLES 0day:
    427 ssh.diff

    wc -l of OpenSSH 3.4 (*.c and *.h):
    47592 total

    What it comes down to, is the OpenSSH team gave us a great, very useful piece of software, and the GOBBLES team gave us an exploit that people wont even remember 6 months from now. I am all for full-disclosure, and a working exploit is going beyond the call of duty, but GOBBLES ego shouldn't be as big as it is. It doesn't take skill to break software, it takes skill to write something useful.

    1. By Peter Hessler () on

      Taking skill or not, that's still damage. It doesn't take skill to point a gun at someone's head and pull the trigger, but they're still damaged. It takes skill to put them together after that happened.

      Patching is easy. Follow the -STABLE branch of your tree, do a make build, and you will be protected from the ssh exploit, apache vuln, and the DNS resolver vuln. I have a pretty shell script that will automate the process for people who run into problems (NOT expected).


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]