OpenBSD Journal

More OpenSSH Activity for Today

Contributed by jose on from the busy-day-for-things dept.

Today was a busy day for OpenSSH.

cron writes: "The errata page is updated with the patch for pre OpenSSH 3.7."

And zeronetl writes: "Just finished upgrading to OpenSSH 3.7 and refreshed http://www.openssh.org/openbsd.html ..."

A second version of the buffer handling advisory is out, which includes patches to bring 3.7 up to 3.7.1, as well. Make sure you're upgraded and protected against this vulnerability.

(Comments are closed)


Comments
  1. By RC () on

    I know there isn't a lot of info yet on the exploit used, but does anyone know if Propolice, et al., might protect against OpenSSH <3.7.1 being exploited on OpenBSD?

    Comments
    1. By grey () on

      It's impossible to comment on this until an exploit is available publically. Despite reports of exploits being "in the wild" I don't think anyone knows of any publically accessible exploit to compare against.

      Presumably, if and when an exploit does surface publically, it will employ techniques to circumvent propolice, W^X, and whatever other protections might potentially get in the way. If it doesn't, then either those protections are not applicable, or ineffective defense mechanisms against whatever this to-be-leaked/published happens to do.

      Still need to wait and see.

      Comments
      1. By grey () on

        s/comment/provide an answer.

    2. By Anonymous Coward () on

      Propolice has no effect as it is a heap corruption vulnerability.

      Comments
      1. By RC () on

        So you are saying that my Sparc64 and Alpha machines are probably okay? (See Link) That's not to say that I haven't already updated.

        http://www.deadly.org/article.php3?sid=20020826013453

        Comments
        1. By Anonymous Coward () on

          Nope. Heap corruption vulnerabilities are a nice breed, especially when combined with an application like sshd. Modification of data is all it takes in this case to grant a rootshell, no execution of code needed. So much for W|X.

          Comments
          1. By Anonymous Coward () on

            probably not true in this case. the corruption takes place in sshd's exit path. it will not return to the login codepath.

    3. By Anonymous Coward () on

      Keep in mind, there is no actual evidence of an OpenBSD exploit (or as far as I've seen an exploit for other systems). Those coming forward and making claims they used 'the exploit' against OBSD are pointedly failing to cough up any such exploit. Sure, it is possible there is an exploit, but it seems more likely these are trolling posts by Theo-haters that just want to give the public impression there is an exploit, so they can argue OBSD's security record is just a crock. Anyone can claim "I have an exploit that works against OpenBSD (even when the machine is turned off!), but I keeping the exploit to myself because...". Patch your machine and wait. But I'm betting that if an exploit ever actually appears on the scene, it will be written sometime over the next few weeks, and have the date altered is some lame way to imply it has existed much longer).

      Comments
      1. By RC () on

        Well, there is no evidence of an *OpenBSD* exploit just yet (which is why I asked the question), however, there are cases where systems running OpenSSH were rooted, with privsep.

        So, at the very least, it looks very likely that the portable version of OpenSSH has a root bug.

        Comments
        1. By pravus () on

          where are you seeing this? i have not seen one single report of someone who could prove that 1) their system was rooted by an exploit involving this latest fix or that 2) said exploit even exists for *any* system. the proof is in the pudding and i haven't even seen the mixing bowl, yet.

      2. By coward () on

        [nice to see that uncalled-for censorship is in effect, let's see how long this one lasts ;-]

        OpenBSD doesn't have a security track record, individual pieces of it do (ditto for other OSs). When looked at it this way, you realize that what you claim as OpenBSD's is effectively that of OpenSSH which happens to be the same then for all other OSs using it making the whole 'mine is bigger than yours' claim meaningless. So much for why the 'Theo-haters' need not care about your petty claim. As for your insinuation about altering exploit dates to make it appear older than it is, no need to do that, there are enough hacklogs for a year at least that will prove it otherwise (should someone be actually that silly to release those too that is).

        Comments
        1. By Anonymous Coward () on

          OpenBSD's security track record is the sum of its individual pieces, along with how they are put together. So far, it is doing pretty well. This isn't a 'mine is bigger than yours' claim, just a fact. NetBSD, and some Linux distros, for instance also have impressive track records (perhaps not quite as good as OpenBSD's record -- quite frankly I'm not keeping track of the exact numbers. I have other concerns.) Anyone that visits deadly.org knows it is constantly trolled -- so claims that 'Theo-haters may well be exaggerating, lying, or even plotting' is hardly a "petty claim". We see it so much, it is not even news around here ...

          Hacklogs would certainly be interesting, but they seem to be as elusive as this exploit. If you are so sure there is an exploit that works against OpenBSD, and you aren't a 'Theo-hater', then give us the proof. I'll cheerful admit exploit-claiming-posters were giving a honest warning, as opposed to being a trolling pieces of shit. Mine money is on no such proof showing up 'soon', while the number of empty claims of an OpenBSD exploit will steadily increase.

          Comments
          1. By Anonymous Coward () on

            Hmm, maybe you're the first guy here who has ever acknowledged that 'NetBSD, and some Linux distros, for instance also have impressive track records' - i take it you're not a core OpenBSD developer either. What you don't see however is these systems bragging about it, and for that matter, the OpenBSD claim is wrong too (the claim is not consistent with reality, for example, they want a publicly released exploit before considering it as a 'remote hole in the default install' whereas nowhere does the claim state that condition). The only 'trolling' i've seen recently has all been questioning the effectiveness of certain 'new' OpenBSD developments, i have not seen a single technical (let alone correct) counter-argument to those, have you? As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?

            Comments
            1. By pravus () on

              "As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?"

              pure bunk. if there are other serious flaws in the system, get them public and get them fixed. there is absolutely no reason why anyone should keep this information private.

              Comments
              1. By Anonymous Coward () on

                let's see some of those absolutely non-existant reasons:

                1. you work for a company/government agency and your contract/oath binds you to remain silent (potentially for life).

                2. you are a blackhat and the last thing you want is such bugs go public and get fixed.

                capito?

                Comments
                1. By gwyllion () on

                  2. you are a blackhat and the last thing you want is such bugs go public and get fixed. The bug is now public and fixed. Now it's your moment to show how good your exploit writing skill are; exploiting a bug which is thought to be unexploitable.

                  Comments
                  1. By elguapo () on

                    That defies the fucking purpose of being a "blackhat." A blackhat does NOT care about infamy or what his peers think of him. He develops his own techniques and/or bases his work off peers that he trusts fully. A true blackhat would NEVER release anything to the public or disclose any new "technique" as far as exploitation. You can continue to think that blackhats release exploits to demonstrate their abilities but again its a moot point falling on deaf ears.

                    Comments
                    1. By vincent- () on

                      actually, i'm wondering about the whole blackhat ideal of not releasing and that most (all?) whitehats suck and blah blah blah.

                      how come they haven't developped a secure operating system yet, since they're so good with finding exploitation paths? (no sarcasm here, some publicly known techniques are incredibly clever, and I would guess the secret ones are even better)

                      or are they all running a mainstream OS with shitloads of patches in?

                  2. By Anonymous Coward () on

                    as was said somewhere above in this thread:

                    As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?

                  3. By chill () on

                    Remember PitBull? The hardening package that locked down Solaris? The company ran a few annual "can't hack me" contests with a large (US $1 million?) cash prize. Three years, no hack. Fourth year, hacked and they didn't have the prize. (BTW, the GAVE OUT the root password as bait in the contest.)

                    The "hack" was a previously unreleased but long-standing vuln in the deep heart of Solaris. It affected, if I remember correctly, at least 2.6 - 8.

                    IIRC, the vuln also allowed access to "Trusted Solaris" versions. PrivSep didn't help.

                    In short, this is one example of a root level vuln in what was thought to be, and if IIRC about the affect on Trusted Solaris, GOVERNMENT CERTIFIED secure systems, publically unknown yet exploited by the bad guys long before the light of day.

                    Comments
                    1. By gwyllion () on

                      LSD found the bug especially for the challenge, not some publically unknown exisisting exploit.

                      Read http://lsd-pl.net/argus.html

                      Comments
                      1. By chill () on

                        Both, actually. It was a previously reported x86 vuln that was adapted to Solaris x86.

                        From the Argus website... (http://www.argus-systems.com/events/infosec/)

                        LSD became aware of a vulnerability in x86 operating systems through a posting to the NetBSD advisory (that vulnerability was not discovered by LSD). LSD was able to use that vulnerability to create a kernel level vulnerability in the base Solaris x86 operating system that was running on the system that Argus had deployed for the hacking challenge. The vulnerability exploited by LSD relates specifically to operating system implementations supporting the x86 architecture. In addition to Solaris for x86, the vulnerability may affect other operating systems that support the x86 architecture. This vulnerability had not previously been posted on Solaris bug tracking web sites or mailing lists, and to the best of our knowledge no patch was or is presently available to correct this vulnerability.


            2. By Anonymous Coward () on

              hrmmm, it always boils down to the claim doesn't it. I actually think in the end it really depends on the individual admin. I can put up an OpenBSD box and configure it poorly, install some crap packages and it can get rooted just as easily as I can a redhat box.

              Of course there are other O.S.'s with impressive security records, NetBSD doesn't even startup ssh by default, FreeBSD has some great security records as well, so do many linux distro's. I don't really kieep track of which O.S. has "the best record" I don't really care. I know how to admin a box and feel comfortable enough in my skills that I don't make a decision based on security track record. I do make a decision on what is best for the job at hand.

              The thing about it is this. Theo and the group aren't taking over the world with damn OpenBSD. It's a pretty finite group of people running it, there might be a few thousand people running OpenBSD, lots of people in the I.T. industry aren't even aware that OpenBSD exists.

              All that to say this. The claim is a relatively small thing in the overall scheme. There's no reward for finding a hole in OpenBSD, like some other apps....

            3. By Anonymous Coward () on

              "Hmm, maybe you're the first guy here who has ever acknowledged that 'NetBSD, and some Linux distros, for instance also have impressive track records'"

              Oh, bullshit. Damn stupid troll.

              Either you've been overly selective or you're new here or you're just a freakin idiot. Most people here know Debian has had a good track record. Comparatively to the other Linuxes, the other free BSDs are better with their security concerns.

              But to suggest with slight of hand that those OSs are as good as OBSD, you've got to be kidding. On the FreeBSD-announce list, there was a comment last year or so how they were going to break their security announcement record for bug fixes. Now, this isn't due to incompetency on their part and dependent heavily that they were preparing for or fixing a new release, but to say OBSD is at fault for somone else's lack of popularity in the security field, that's just silly.

              "- i take it you're not a core OpenBSD developer either."

              What's that have to do with it? You're saying pride is an anti-security measure? The developers know what they are talking about.

              "What you don't see however is these systems bragging about it,"

              Because they don't have the track record to prove it. Even bugtraq emails with comparative analysis to other OSs a couple of years back indicated OBSD was top notch. (The other OS was Apple's.) That was wholly independent of any core developer or the OBSD effort.

              Even anecdotal studies where random bits of info is just thrown at code showed OBSD to be more stable under those conditions.

              You sound like the whiny idiot that bitches about how some rich guy who bought a BMW is rubbing it in your face how rich he is because he drives his car to work.

              btw, if you compare the OBSD developers and community to the Linux community, holy hell, the OBSD community pales in comparison to the flaunting over their code.

              "and for that matter, the OpenBSD claim is wrong too (the claim is not consistent with reality, for example, they want a publicly released exploit before considering it as a 'remote hole in the default install' whereas nowhere does the claim state that condition)."

              Uhh, this policy is well known. It's been discussed on public forums, in mailing lists, on the O'Reilly web pages....how much more public do you need it to be?

              It's policy. If you don't understand that policy, you ask. If you don't receive clarification, that's a different matter, but you don't even ask.

              And not mention, it's called common sense. I don't consider a hole in Win98 release to count as a bug if MS has a patch 6 months after release and an exploit is found 12 months later. One of the reasons why I think MS got a bad rap with slammer (in that instance) because they had a patch; people didn't update.

              Such a policy is not only professional, it's sane. It's called a standard of claim. At least OBSD cares to have one.

              "The only 'trolling' i've seen recently has all been questioning the effectiveness of certain 'new' OpenBSD developments, i have not seen a single technical (let alone correct) counter-argument to those, have you?"

              Yes, because I actually read the posts.

              "As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?"

              Ahh, yes. The standard claim of the "what if", "what do I have under the sheet" (don't worry, mine is larger than yours), the passing of the hand over the ouji board.

              Sorry, magic tricks are for kids. You have revealed to me that you're utterly incompetent. You come off like a high schooler or someone with little real world experience.

              Security is a concept which then is attempted to take form through procedure, policy, and execution. While it has real world impact, a near fundamental basic security understanding is that your system, no matter how secured, is at risk.

              For you to wave your hands about the possiblities of something without substance means little. I too could complain that there is some security hole in Linux, FreeBSD, NetBSD, MacOS X, and XP because I *think* it's there.

              And you know what? I'm probably right--there is probably one. You may be too. But until PROOF is given, it's a matter of conjecture and faith. Sorry, the latter I would prefer to hand over to those in philosophy and religion than debate on a computer forum.

              In order to have a discussion, you need concrete fact. Evidence. Show me the money, fool. Anyone can point and say the sky is falling.

              And you know what? Such code has yet to be shown.

              So until you've seen that specialized code exploit, you're talking out of your ass with the suggestion of what *might* be there. Hell, there *might* be evidence of weapons of mass destruction embedded in the exploit code too. There *might* be an embedded binary pic of a georgeous girl that would blow your mind and make you go straight. There *might* be a code tidbit to end this discussion of whether there is such code makes OBSD rootable.

              But until it is shown, in the security world, your paranoias are your own. Don't lay them on someone else.

              Comments
              1. By Dunceor () on

                best post I have seen so far....

              2. By Anonymous Coward () on

                uhm, lots of crap at once, let's see the more relevant ones.

                1. "Oh, bullshit. Damn stupid troll."

                very intelligent, to the point, full of undeniable and verifiable facts. no. you my friend show the typical symptoms of the faithful OpenBSD follower. you provide no evidence to your claims (more below), you merely parrot what others have told you and that you blindly believed. those pesky beliefs, how dare they shatter!

                would you show me the freakin' idiot why other systems are not as good as OpenBSD is (presumably you meant their security track record)? to make it an apples-to-apples comparison, take the same configuration of each (say that of the default install of OpenBSD) and show my why one is better than the other.

                2. "but to say OBSD is at fault for somone else's lack of popularity in the security field, that's just silly"

                who were you quoting there exactly? putting words into my mouth, eh? besides i'd like to see your FACTS that show the popularity of OpenBSD (and others' lack of it) in the 'security field' (whatever that means). extraordinary claims require extraordinary proof, right?

                3. "You're saying pride is an anti-security measure? The developers know what they are talking about."

                pride presumes something to be proud of, you have yet to show it exists (see above). and as for what the OpenBSD developers know... well, i've seen enough of it ;-), read last month's little thread on bugtraq to see how many times Theo was proven wrong. here's a new one though (before i get accused of not being technical enough): would you mind asking your all-knowing developers (i don't think you will even understand the question itself let alone be able to answer it) why the TSB had to be duplicated for the non-exec pages support on sparc (vs. merely the extra check in the ITLB load handler)? hint: it did not.

                4. "the OBSD community pales in comparison to the flaunting over their [linux community's] code."

                any evidence or have you just - as you put it yourself so politely - been talking out of your ass?

                5. "how much more public do you need it to be"

                uhm, how about putting it into the page making the claim itself? at least something like: 'x publicly known remote hole in the default install'? that's not so much to add, is it?

                6. "If you don't receive clarification, that's a different matter, but you don't even ask."

                talking out of your ass again or you know something i don't?

                7. "I don't consider a hole in Win98 release to count as a bug if MS has a patch 6 months after release and an exploit is found 12 months later."

                that's your personal preference, i don't think the rest of the world shares it with you (if you think they do, show the evidence). also would mind answering why the date of finding an exploit in the public matters? i mean, how does it make a bug/exploit any less dangerous? or are you telling me that just because the last public ssh exploit was released after the bug had been fixed ENSURES that noone in the world had had (let alone used) it before?

                8. "Yes, because I actually read the posts."

                me too, but i failed to find the content you did, care you be more explicit here? maybe we can finally discuss the technical details instead of your silly posturing.

                9. "You have revealed to me that you're utterly incompetent."

                i don't think i revealed much, at most asked questions that apparently had never crossed other people's mind - hardly my fault. also, where exactly lies my supposed incompetency and how did you manage to derive this from those two questions?

                10. "But until PROOF is given, it's a matter of conjecture and faith. Sorry, the latter I would prefer to hand over to those in philosophy and religion than debate on a computer forum."

                you may not realize let alone agree with it but this was actually the only sensible comment of yours here. and you know, you've made enough unsubstantiated statements yourself now that it's really high time you proved them, after all you wouldn't want us mere mortals take your words at face value (faith?) 'on a computer forum', would you?

                11. "And you know what? Such code has yet to be shown."

                correct/agreed, but you're wrong on "until it is shown, in the security world, your paranoias are your own". first, it's not my paranoia (because i know things, vs. you who doesn't yet know whether to believe them or not), second, in the 'security world' i know only the paranoid survives (to paraphrase Mr. Grove), the rest gets rooted, sooner than later. which group do you belong to? and how do you know? or all you have is faith that you do/do not [get rooted]...?

                Comments
                1. By Anonymous Coward () on

                  Why don't you just take your little exploit and root a popular site that runs OpenBSD then, that shouldn't be too hard to find... While you're at it go on and deface the page and put:

                  "Deadly DOT org troll was here!"

                  No, no, seriously, you should do that.

                  Comments
                  1. By Anonymous Coward () on

                    oh, another mature and intelligent faithful i see. yeah, i shall definitely follow your 'advice', it's so good i can't believe i haven't come up with it myself. seriously, release your flatulence somewhere else next time, and try to answer the questions in some civilized manner, that may even bring in some real discussion. unless of course the above is all you were capable of.

    4. By norbert () on

      what about W^X? can W^X protect vulnerable machines from possible remote execution of code?

      Comments
      1. By coward () on

        It cannot in general as it is still possible to introduce new code into the process, but it requires a specific call to mmap or mprotect and that may or may not be feasible in a given exploit situation. On the other hand W^X can be totally meaningless here if the exploit can just alter authentication related data (i.e., without having to execute any code on its behalf) and get a shell that way.

  2. By Anonymous Coward () on

    So, I installed 3.7 on my 3.3 box. Does 004 apply to 3.6 or 3.7? So confusing.

    Comments
    1. By Anonymous Coward () on

      004 was revised. If you patched before the revision, you *need* to patch again.

      Comments
      1. By Anonymous Coward () on

        I didn't patch at all. I installed from openssh-3.7.tgz on openssh.com.

        Comments
        1. By Anonymous Coward () on

          Did you verify you are running OpenSSH_3.7.1?
          ssh -V does the trick. if so, you are good to go.

        2. By Anonymous Coward () on

          BTW,http://openbsd.org/errata.html has been updated with the revised patch.

    2. By Anonymous Coward () on

      The first thing we might have to do is apply some patches after the official release of OpenBSD-3.4.

      Comments
      1. By Anonymous Coward () on

        No, OpenSSH 3.7.1 is tagged OPENBSD_3_4. I'm sure following bugfixes will be too.

  3. By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org

    Can't even compile openssh-3.7.1.tgz on a stock 3.3
    on I386...
    gss-serv-krb5.o: Undefined symbol `_gss_krb5_copy_ccache' referenced from text segment

    Work if i diable Kerberos5

    -->#KERBEROS5=no make

    Still have to try on my SPARC boxes to see if it's the same...

    Comments
    1. By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net

      Have you patched it?

      "If you are installing OpenSSH 3.7.1 on OpenBSD 3.3 or older, you need the following patch:
      ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd3x_3.7.1.patch."

      Comments
      1. By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org

        Doh!

        I was thinking patch was only needed for <3.7

        Thanks!

        Comments
        1. By Anonymous Coward () on

          yep. that is what I thought too. I also thought that a cvs checkout would correct that error in the make (for my 3.2, anyway) it didn't. But the patch worked for me.

          definately have to move to 3.4

    2. By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org

      Excuse my ignorance but, why the latest STABLE version of OpenSSH (3.7.1) need to be patched on the latest STABLE version of OpenBSD (3.3).

      Surely you will tell me that it can compile without patch on CURRENT but...

      Anyway the patch is named openbsd3x_3.7.1.patch so in theory it could apply to 3.4 as well...

  4. By jose () on http://monkey.org/~jose/

    Date: Tue, 16 Sep 2003 19:04:57 -0600 From: Todd C. Miller To: security-announce@openbsd.org Subject: Re: OpenSSH Security Advisory: buffer.adv Both the 3.2 and 3.3 -stable branches have been updated to OpenSSH 3.7.1. A new revision of the sshbuffer patch is now available that supercedes the first version.

    Patch for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/017_sshbuffer.patch

    Patch for OpenBSD 3.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/004_sshbuffer.patch

    The new version of the patch begins with the following line:
    NOTE: this is the second revision of this patch

  5. By Anonymous Coward () on

    This exploit was originally made public during the CTF contest at Defcon, why did it take this long to make it out and get fixed?

    Comments
    1. By lazy-bones () on

      If it is true we must install OpenBSD from scratch...

    2. By tedu () on

      how would people who didn't attend defcon find out about this public announcement?

      Comments
      1. By djm () on

        Yeah, Google doesn't know about this "public" exploit. Neither bugtraq nor the openssh lists were notified either. Pity that our telepathic bug detection is on the blink.

        Comments
        1. By X () on

          in my bathroom too, with drugs and champagne
          we wrote the exploit and it was only known to my girls...

    3. By gwyllion () on

      What's the impact of this "public" exploit? Remote exploit on OpenBSD? Most experts are claiming that it's only a DoS and could hardly be exploited.

      Comments
      1. By Anonymous Coward () on

        That was the first one. The second one is a remote root-level exploit.

        Comments
        1. By gwyllion () on

          So there is a second unpublished bug which gives you remote root, and still isn't fixed?

          Comments
          1. By Anonymous Coward () on

            not just a second one

            course, im never gonna use my sploits on a live sys, cause I don't want to get found out

        2. By Anonymous Coward () on

          So there're still bugs in openssh 3.7.1? Nice to know.

    4. By lx () on

      Erm, I was playing there and had no knowledge of it. It certainly wasn't being actively exploited/publicized, it would have been rather easy to notice if it was.

    5. By Hagge () aliquis@link-net.org on mailto:aliquis@link-net.org

      I once asked (probably 2 months ago or so) a 14 year old i know from irc why his box didn't support scp and was told he didn't used openssh due to the vulnerabilities. Even thought i do know he knows quite much for his age i didn't thought so much more about it and keeped on running openssh on my machine. But now it seems like he was right, and in that case both him and the previous poster is right and this stuff has been known for a very long time in private circuits. Kind of sucks :)

    6. By gwyllion () on

      http://www.angelfire.lycos.com/ill/m0nkey0/sshexp.tar.bz2

      Finally some real proof! I hope this gets reverse engineered quite fast, so we can know how the bug gets exploited. This exploits seems to exist since the beginning of august.

      Comments
      1. By gwyllion () on

        This thing is a trojan horse. Don't run it.

        Read http://marc.theaimsgroup.com/?l=full-disclosure&m=106393327727149&w=2

  6. By Anonymous Coward () on

    http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html

    According to that advisory, even 3.7.1 is vulnerable. And not to just a Denial of Service, but a full-blown arbitrary code execution. Even the famous Solar Designer confirmed it and found 4 additional holes.

    I'm not trying to fud about the crappyness of OpenSSH, unlike some other anonymous cowards, but that advisory scares the shit out of me.

    Comments
    1. By Matt () on

      I understand you comment was not intended to be FUD, but within the link you posted there is no proof that Solar designer found anything. A pgp signed message from SD himself would hold a little more credibility in my eyes. Until I see something from him, the post you refer to is just hearsay and therefore as useless as all the crap the trolls are spreading here.

      Comments
      1. By gwyllion () on

        Solar Designer fixed some extra bugs. Read http://www.openwall.com/Owl/CHANGES-current.shtml, it says.

        2003/09/17 Package: openssh
        SECURITY FIX Severity: medium, remote, active

        Multiple memory management errors have been discovered in OpenSSH, and this update corrects 6 such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions. At this time, it is uncertain whether and which of these bugs are exploitable. If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account. Reference:
        http://www.openssh.com/txt/buffer.adv

        I included solar's patch in an email to bugs@openbsd.org: http://marc.theaimsgroup.com/?l=openbsd-bugs&m=106381378820034&w=2

  7. By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz

    Hmmm, I updated all of my servers to 3.7 yesterday and now we have 3.7.1. Should I wait to 3.7.2 for couple of days :o] ?

    Comments
    1. By Anonymous Coward () on

      How about LSH for a change?

      Comments
      1. By markus () on

        it has problems as well

        http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000117.html

      2. By gwyllion () on

        Sure. For the first time people actually looked at it and already found a remote root vulnerability for lsh 1.4.x.

        http://marc.theaimsgroup.com/?l=full-disclosure&m=106397699029850&w=2

  8. By Niklas () fagnik@spray.se on mailto:fagnik@spray.se

    because I was rooted.
    And only ssh was open to the world.

    Of course I can't prove this, I don't have an exploit. I haven't asked my ISP for logs yet. And the only thing I can show is a _badly_ modified ssh client which I claim had to be modified between Sep 16 01:00 GMT+2 and 14:00 GMT+2.
    Why? Because I run ssh regularly in my backup script and was working on it the evening/night before.
    But I can't show anything except for a rooted 3.3 box.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]