Contributed by Dengue on from the damn-it. dept.
"A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2. Users with an existing user account can abuse this bug to gain root privileges. Exploitability without an existing user account has not been proven but is not considered impossible. A malicious ssh server could also use this bug to exploit a connecting vulnerable client.
(Comments are closed)
By bob () on
Comments
By Anonymous Coward () on
-Vig
Comments
By Anonymous Coward () on
Comments
By Anonymous Cowherd () on
Comments
By Anonymous Coward () on
Comments
By Gimlet () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By thuggee guard () thuggee@ijones.com on mailto:thuggee@ijones.com
By Anonymous Coward () on
its probabley the most audited piece of code on earth
Comments
By Anonymous Coward () on
This particular bug has been there since the start. I wonder what that says about the auditting ability of those who have audited between now and then. How did it get skipped all those other times when people audited it?
One thing's for sure: if this is the most heavily auditted piece of code on earth, we're all incredibly bad at auditing software. Well, those who have audited it are, anyway.
I want someone explain to me why Theo didn't find this bug in one of his regular code audits. Did he never audit this particular line? If not, what other lines did he not audit? If he did audit it, how did he not recognise it was a bug? If he can miss this bug, how many others of an obscure nature have been missed?
For all the hype that OpenSSH (&OpenBSD) generate about auditing and bug elmination, there ought not to be any security bugs/holes at all in their software. Anything less really says that this process is effectively worthless to the end-consumer, with outsiders being left to find the bugs in released versions of the code.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
{takes a breath}
ehehehehehehehehhehehehehe heeeeeeee......
{big inhale}
woohoooo..... man I needed that.
Thanks.
Comments
By Anonymous Coward () on
Comments
By syntaktic () leila@jhu.edu on http://syntaktic.net
By Anonymous Coward () on
...DYING THANK YOU SIGNED ME
dude this post is great.
are you the "armenian cowboy" from the Darren Reed provides OpenBSD 3.0 fork w/ IPFilter. thread? that is the only more lucid post i have ever read.
i'm quoting both of them on my website.
Comments
By armenian cowboy () on
HOWEVER HE MAKE A GOOD POINT WHEN IT COMES TO SOFTWARES. IN CS 372 WE LEARNED THAT SECURE WILL NEVER WORK IN MARKETPLACE DUE TO HIGH COSTS AND TEEN AGE HACKS. BUT I STILL HAVE A VIPER 870S SECURE SYSTEM IN MY CAR SO I CAN DRIVE DOWN TOWN AND BE SAFE!!!! I HAVE A NICE CAR AND I DONT WANT IT STOLEN RIGHT?
DO YOU AGREE? WHAT KIND OF SYSTEM SECURITY DO YOU CARS USE?
By Anonymous Coward () on
By Anonymous Coward () on
Yes.
Do you know anything about writing system code?
Obviously not.
If it is so worthless, switch to W2K...
By Anonymous Coward () on
I want someone explain to me why Theo didn't find this bug in one of his regular code audits. Did he never audit this particular line? If not, what other lines did he not audit? If he did audit it, how did he not recognise it was a bug? If he can miss this bug, how many others of an obscure nature have been missed?
Why don't you try auditing some incredibly complex software system and get back to us?
For all the hype that OpenSSH (&OpenBSD) generate about auditing and bug elmination, there ought not to be any security bugs/holes at all in their software. Anything less really says that this process is effectively worthless to the end-consumer, with outsiders being left to find the bugs in released versions of the code.
So because the process doesn't catch every single bug we should stop auditing? Yea... that makes sense. Might as well repeal all those drunk driving laws because they don't stop all drunks from driving.
If you really expect *EVERY* single bug to be caught by auditing, I suggest you find another (job | hobby | whatever).
By cb () boyer_c@bellsouth.net on www.openssh.com
Comments
By Anonymous Coward () on
By Przemyslaw Frasunek () venglin@freebsd.lublin.pl on http://www.frasunek.com
Comments
By DieNadel () no_sleep_till_brooklyn@nospam.spamsucks.com on mailto:no_sleep_till_brooklyn@nospam.spamsucks.com
Comments
By Przemyslaw Frasunek () venglin@freebsd.lublin.pl on http://www.frasunek.com
Of course, OpenSSH installed on *BSD platform in fact IS vulnerable, but this vulnerability can't be exploited.
Comments
By Juan Meneses () juan@iki.fi on http://iki.fi/juan/
The last sudo exploit I was aware of indeed works for BSD as well. I got a root shell by using it on my OpenBSD 2.9 box running the Postfix mailer. Please stop spreading disinformation.
Comments
By Przemyslaw Frasunek () venglin@freebsd.lublin.pl on http://www.frasunek.com
Comments
By Juan Meneses () juan@iki.fi on http://iki.fi/juan/
By Anonymous Coward () on
Or, LinuxSecurity Reports that the "off-by one" bug does effect FreeBSD 4.4-RELEASE, 4.5-RELEASE and 4.5-STABLE?
By Anonymous Coward () on
Are there any ssh server implementations in java?
Btw, this post is not intended to start a flamewar. I just want to point out that there may be some merit to writing net services in more secure languages. Verify the integrity of the bytecode interpreter and then any services that run within that VM will be as secure as the VM itself, right?
Comments
By Anonymous Coward () on
SOUNDS COOL MAN
Maybe we can make it use CORBA too, and some
awesome RMI object broker to transfer some XML
into my servlet, SIGN ME UP.
I'm sure that will fix all our problems
By fansipans () on
1. DEFAULT PASSWORDS
your magical hobbit ring wearing bytecode interpreter will be able to detect code designed with default passwords?
2. user input which triggers unintentional information output
ever sent 'debug=ong=on' to random php scripts :P, this is a great way to reveal information about a system
3. RACE CONDITIONS ...
how the hell is a 'verified bytecode interpreter' gonna know which order you intended to do something, if you accidentally code it with a race condition
4. Being a complete and total f*@!ng monkey
suppose there is a magical language (let's call it SUPERSSAFE!@!), it doesn't have pointers (oh! no memory vulnerabilities!), doesn't have objects (oh! no worrying about public/private methods/objects!), and it can't even OPEN FILES AT ALL! it only has standard mathmatical and logical operators (+,-,*,/,IF,WHILE), and the following functions:
PRINT
EXIT
LISTENTOTHEINTERNET
suppose i have a SUPER DUPER SECURE PROGRAM that has to be secure because it just listens for connections (hey! like ssh does!) and then prints out a credit card number...it looks like this:
handle=LISTENTOTHEINTERNET
IF handle=="JUJUFRUIT"
PRINT "7912-1231-1234-5321"
IF handle=="DEBUG"
PRINT "HELLO I AM LISTENING!! LOOK HOW SECURE I AM YOU NEED TO KNOW THE SECRET PASSWORD. THIS PROGRAM IS ON. AND THE CREDIT CARD NUMBER IS 7912-1231-1234-5321"
EXIT
how is ANY kind of interpreter going to prevent you from being a monkey?!
--fansipans
By pravus () on
2) with the way things are currently, would you really ever be at a state where you could trust the VM? if you try to keep the VM simple, you won't have much functionality, but you would feel better about the code since there wouldn't be much, and hence there should be fewer errors than in a larger project. however, users demand functionality as well as developers. the VM would have to be robust and provide powerful commands that would add complexity to the code it was written in. more code, more mistakes, more time auditing for mistakes. also, as with everything computerized, you have the growth and maintenance factor.
one more thing to think about with a single VM-based OS... if an exploit is found in the VM, depending upon the nature of the exploit, it might not just be exploitable in one program. you might have a bug that is exploitable in *any* of the programs that operate in the VM. the all-the-eggs-in-one-basket arrangement.
but then again... maybe i'm a crack addict.
Comments
By Anonamoose () on
In theory, switching to a different language might make programs more secure. I don't think such a language exists today (it's certainly not Java), as it would have to be designed so that the programmer still has enough low-level access in order for the program to be efficient, while at the same time making programmers work harder to hang themselves.
Comments
By stripes () stripes at the place apple give free email on mailto:stripes at the place apple give free email
Sure they do, Modula-3 for example. The problem with most (or all!) of them is it is harder to find a runtime system for them on all platforms, more differences exist form compiler to compiler, fewer programmers understand them, and very few of the "better" languages have free compilers for them. I also think Eifel might be a good one for security work, I'm not sure it has enough low level access for everything though.
That said I'll note that Java is actually quite fast on some platforms. I wrote a Java SSH client (with built in ANSI-77 terminal emulation!). On a Win 95 box using the Sun JVM, whatever Netscape had at the time, and whatever Symentec had at the time it was quite fast. Like I could scroll through a 500k /etc/termcap faster with my SSH client then the telnet that Microsoft shipped. Now I expect they didn't optimize their client for speed, and before I decided to see what could be done they ran about 4x faster then me, but still even then the Java SSH ran fast enough (doing 3DES!) that you would never think it wasn't C code.
On other platforms (generic byte code JVM on BSD/OS or FreeBSD) it was slower then a dead slug.
Comments
By fansipans () on
--fansipans
Comments
By vincent () on
open source, closed minds.
cheers.
v.
Comments
By Anonymous Coward () on
By vincent () vincent at igc.ethz.ch on mailto:vincent at igc.ethz.ch
Could somebody comment on this?
I am not myself into secure programming, and will ignore flames.
thank you.
By oobeleck () on
By markus () on
should help against exploits.
By Anonymous Coward () on
Revision 1.171 / (download) - annotate - [select for diffs] , Mon Mar 4 19:37:58 2002 UTC (3 days, 6 hours ago) by markus
Branch: MAIN
CVS Tags: HEAD
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
off by one; thanks to joost@pine.nl
"off by one". If I were reading CVS logs, I'd have a hard time correlating that with a security flaw. How many other security bugs lurk in their CVS repository, fixed with obscure commit messages?
It would seem that "security through obscurity" is what's practised, heavily, by the OpenBSD team.
Comments
By jcs () on
The problem was discovered, the bug was fixed, an advisory was sent to many mailing lists, a new version of OpenSSH was released, many of the OpenBSD and OpenSSH web pages were updated.
By Anonymous Coward () on
Log messages have little to do with security and open publication is anything but obscure.
View colours vision.
Comments
By Anonymous Coward () on
In talk around the traps, it appears that the security announcement was rushed forward from next week because it got "leaked" and people were starting to develop exploits already. Evidence of things being rushed is that the announcement of 3.1 went out before the website was updated.
What this says to me is that the CVS log message was deliberately made obscure. Why? So that the security announcement "in waiting" wouldn't be compromised by the CVS commit log.
Comments
By Anonymous Coward () on
By pravus () on
and i can't stand all of these people who always say "oh look... the open{bsd,ssh} team found another exploitable bug and didn't tell anyone about it. they must be trying to hide something". as has been said before in many places, they fix bugs without testing exploitability. they're main design focus is on creating a secure product, but they are NOT in the security business. it's typically others who find the exploitability of bugs and then report them.
and if you really want to go after people who are trying to cover up bug reports, go after all of the companies that are trying to get the security reporting firms to switch to non-disclosure. those are the people who are trying to pull the wool over your eyes when it comes to security.
Comments
By Not Really Anonymous () on
Do you think the underground community ceases to make exploits, just because the rest of the world doesn't _publicly_ know about it?
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By niekze () niekze@nothingkillsfaster.com on http://www.nothingkillsfaster.com
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
OpenSSH: putting the "OPEN" back in networking
OpenSSH: making "root" open to all
The real question is, why have there been more security announcements and bug fixes in OpenSSH than the commercial SSH? Begs the question of whether this development process is really adding any value or just security bugs - which get fixed at some later point in time.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
F-Secure publish advisories, when necessary, to address security holes in their product.
One way to read your comment is that "because openssh is open source there are more bugs requiring more fixes". Given that the real ssh has progressed to 3.1 (before openssh), any argument about there being more development in openssh is specious at best.
Comments
By Anonymous Coward () on
Good God.
So, given I release MySSH 4.7 tomorrow, it's better and has more features?
Go read what's new in commercial SSH 3.1 compared to their latest 2.4. If you find anything that anyone would want to pay for, post it here.
Oh, and as for the "record": just look at the past. Do a lookup in CERT for just "SSH". Look at the number and classification of the holes in the different implementations. And think again.
Comments
By Anonymous Coward () on
search on ssh at www.cert.org):
7 OpenSSH only
7 Protocol dependant (protocol v1 bugs)
3 SSH only
1 Shared (SSH + OpenSSH)
1 Solaris specific (SecureRPC, SSH only)
Comments
By fansipans () on
lines of code available for auditing for commericial SSH: 0
Comments
By Anonymous Coward () on
3.1.0 (LOC in .c & .h) 269,147
1.2.33 (LOC in .c & .h) 74,720
By Anonymous Coward () on
Comments
By Darren () on
good idea about why the openssh 3.1 release was
so screwed (the timing between it and when i sent
an email to a someone else couldn't be just a
coincidence).
although, I am concerned about the implications
of what's been said here in defence of openssh:
we only announce security alerts when we know
an exploit exists (or is possible?).
IMHO that makes the openssh team just as bad as
any of the commercial vendors.
it also implies there are lots more security bugs
which get fixed "quietly" and that gives me even
less confidence in the quality of any praticular
openssh release.
'nuff said.
Comments
By Anonymous Coward () on
Please look at the advisories the team has released in the past. Plenty of times it's been a "no known exploit exists".
What you're basically saying that every time any type of bug is fixed, you release a goddamn bugtraq advisory?
Do you?
Comments
By Anonymous Coward () on
By Anonymous Coward () on
tomorrow. No security announcement is made.
Some hacker, watching CVS notices the change and
develops an exploit and keeps it quiet.
There is no security announcement made because as
far as the developers know, nobody is at risk.
I cannot believe anyone would justify that
position. Especially anyone who uses openssh.
Comments
By Sir Chevel D. Haughton III () on
By Anonymous Coward () on
Have you fixed any bugs in it?
People with this "it's a stupid error, there's no excuse for it" mentality obviously don't know what they are talking about. It seems to me that since this off-by-one error never crashed an sshd process on any of the systems I've ran it on that it'd be a hard bug to realize was even there.
Code auditing is a cyclic process, you start with what you see, then you look again. Every audit will miss something, that's why you re-audit, and re-audit again. You can not prove that program doesn't have bugs, only that you don't know of any bugs. You just have to keep looking.
By Anonymous Coward () on
Can you say OpenSSH has replaced most instances of Commercial SSH?
Who in their right mind will support the commercial veriant when you can spend your time developing a reputable Open-Source product?
By Anonymous Coward () on
So people only watching that is not warned!!!!!!
Comments
By Anonymous Coward () on
cvs -q get -P src
and then recompile SSH would be nice....
easy and simple
BUT NO, it isn't updated yet!!!!
Comments
By pravus () on
get a life. if you are only relying on openbsd's website for security information, you do not need to be administrating anything. the disclosure about the bug AND a patch has been widely discussed in many places over the past few days. i really feel sorry for you and your users if you can't find and download the patch to fix your system.
By Anonymous Coward () on
By Anonymous Coward () on
By Not Really Anonymous () on