Contributed by jose on from the sshland-security dept.
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
2. Solution:
Upgrade to OpenSSH 3.7 or apply the patch.
The patch and the advisory can be found at http://www.openssh.com/txt/buffer.adv . This bug was being discussed on the Full Disclosure list recently.
UPDATE Here's the CERT advisory and the ISS X-Force advisory on the subject. Note that various embedded devices use OpenSSH, so they're also vulnerable to this issue.
(Comments are closed)
By Anonymous Coward () on
Everyone should switch to lsh instead.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
I'd agree that this makes 2, but the security is still proactive
Comments
By Anonymous Coward () on
By RC () on
Being proactive does not require someone to do a perfect job.
Priv-sep was added, not in response to any exploit.
Switching to lsh would be a large step backwards.
By Anonymous Coward () on
By jose () on http://monkey.org/~jose/
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940&w=2
enjoy, and patch ... it sounds like the hackers found this one first ...
By Anonymous Coward () on
Comments
By Daniel Svensson () on
By Anonymous Coward () on
This guy is a paid employee of the Microsoft Department of Internet Information.
A flaw may be in the wild? Ooh scary everyone. Read the morning newpaper and disable external SSH. At least I know about it right away and can disable external SSH until I know what's up.
Honestly, I think Microsoft is present in this forum instigating pain for the rest of us.
Comments
By Anonymous Coward () on
Who bothered to spawn you, and why?
By Anonymous Coward () on
Comments
By tedu () on
Comments
By janus () janus at errornet dot de on http://janus.errornet.de
By Nate () on
On one hand there is the bunch of random Anonymous Cowards proclaiming to have been hacked already, then there are the Anonymous Cowards on the other side saying it is impossible to use the overflow to create a viable exploit.
Right now there are people at both extremes bellowing at the top of their lungs about how they're right and the other group is wrong. Until proof exists, there is no exploit, only a chance of one.
All I can say is STFU and wait. Unless you can show the exploit then there is doubt, though updating your OpenSSH will not hurt.
Comments
By coward () on
Comments
By Anonymous Coward () on
Comments
By coward () on
Comments
By compass () on
Comments
By coward () on
[PS to moderator: sorry for my other accusation, you did not indeed remove my posts, i merely looked at the wrong thread... i apologize.]
Comments
By compass () on
Comments
By Anonymous Coward () a on mailto:a
By Anonymous Coward () on
ok I'll bite!
Ummm, maybe because giving it to the k1dd13s will cause a lot more damage than just bellowing out I wrote an exploit.
An issue of credit perhaps.
Sharing it with the developers ( A little more responsible ) is also another idea.
See I can say this:
I wrote a remote exploit that gives me root on any server that runs 'insert your app here'
Now I'm not going to show you any code but I told you I wrote the exploit so you should now phear me and my 'leet skillz.
Come on give me a break! Go play in the sandbox with the other 6 year olds.
I think I saw this elsewhere today and it holds value:
Bottom Line:
PUT UP or SHUT UP!
Comments
By coward () on
By Shane J Pearson () on
It is usually very simple to prove something exists (if it does), yet very difficult to prove something does not exist.
Asking for proof of the exploit is the natural, reasonable question. There should be no assumptions of bias attached to such a question.
what makes you think someone will just give you his/her hard work (i have no doubt this is not your average strcpy() linear stack overflow style) for, errr, nothing in return?
If exploits are in the wild, as claimed by some, then it should not be hard to point to them.
Until then, with all the trolling going on around here, I don't think it is unreasonable to expect a little doubt around here. Especially with the tone of the posters claiming exploits in the wild!
By Anonymous Coward () on
By Anonymous Coward () on
% nc -4 localhost 22
SSH-2.0-OpenSSH_3.7
^C
% ls -l /usr/sbin/sshd
264 -r-xr-xr-x 1 root bin 260696 Sep 15 12:03 /usr/sbin/sshd
My version of the source, obviously, does not contain this patch. Does this mean the version is incremented in OpenBSD-current before the `official' release is finalised?
Comments
By tedu () on
By Anonymous Coward () on
Comments
By djm () on
Please show us (openssh@openbsd.org) an exploit - we'll believe you then.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Noob () on
By Anonymous Coward () on
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
Comments
By Anonymous Coward () on
By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net
netchan
Comments
By Nate () on
It may well be that this problem exists in ossh.
I've not read enough to know for sure if it's that old or if it was introduced with the various improvments the Open team brought to the code.
Comments
By Anonymous Coward () on