y OpenSSH Exploit

Contributed by jose on 2002-07-01 from the cvs-up-&&-make-build dept.

Similar to their Apache exploit , the Gobbles group have released a proof of concept exploit for OpenSSH . This one targets the challenge-response vulnerability in OpenSSH prior to 3.4.

If you haven't upgraded, now's probably when you should schedule some time to do this right away.

(Comments are closed)

Comments

By RC () on 2002-07-02 13:32

Why upgrade? Disable S/Key (ChallengeResponse) and you're perfectly safe.
If you ask me, S/Key auth shouldn't have been enabled in OpenBSD by default. Remember all that stuff on the OpenBSD web page that say's they shut off unnecessary services? Wouldn't it be nice if it were true?
.
.
Comments
1. By lt () on 2002-07-02 04:09
  
  Yes it would be nice if it were true. I'm pretty disappointed that OpenBSD enables S/Key, RPC and talkd by default actually.
  Comments
  1. By skull () on 2002-07-02 04:33
    
    s/key rocks
    
    Comments
    
    By RC () on 2002-07-04 07:24
    
    You're right, S/Key is very nice, but most people NEVER use it. While it may be nice for those of us who use untrusted systems, most people that use OpenSSH don't use S/Key with it. For those few who need it, enable it. Isn't that the whole idea behind OpenBSD?
  2. By Miod Vallat () miod@openbsd.org on 2002-07-02 11:17 mailto:miod@openbsd.org
    
    I wonder where you found out that RPC and talkd were enabled by default. It was supposed to be hidden backdoors!
2. By Not Really Anonymous () on 2002-07-02 14:48
  
  The problem is, the vulnerability still exists and should be patched. The fix to a vulnerability shouldn't be, "just turn off the service".
  
  I would rather use the provided patch instead of hoping that the S/Key auth is never enabled again for some mystical magical reason.
By Anonymous Coward () on 2002-07-02 05:44

Is it just me or does GOBBLES really have it in for Theo.

Guess that means Theo's doing something right :).
Comments
1. By skull () on 2002-07-02 19:26
  
  OpenBSD != Theo, and if anything maybe this will give OpenBSD a little more publicity. And it will most likely demonstrate what is assumed: obsd users are more security conscious and on top of patches and security notices than other users.
  
  If anything we should thank "GOBBLES" for keeping the OPENBSD /development team/ and /community/ on their collective toes.
  
  "If GOBBLES didn't exist, it would be necessary to invent him."
  -Skull
  Comments
  1. By Lars Hansson () on 2002-07-03 14:24
    
    Sure, they're doing some good work but it would be even better if they didnt appear to be complete crackheads. The IT security industry is a big enough joke already...
By methodic () methodic@bigunz.angrypacket.com on 2002-07-02 16:11 http://sec.angrypacket.com

wc -l of GOBBLES 0day:
427 ssh.diff

wc -l of OpenSSH 3.4 (*.c and *.h):
47592 total

What it comes down to, is the OpenSSH team gave us a great, very useful piece of software, and the GOBBLES team gave us an exploit that people wont even remember 6 months from now. I am all for full-disclosure, and a working exploit is going beyond the call of duty, but GOBBLES ego shouldn't be as big as it is. It doesn't take skill to break software, it takes skill to write something useful.
Comments
1. By Peter Hessler () spambox@theapt.org on 2002-07-02 16:40 http://www.theapt.org
  
  Taking skill or not, that's still damage. It doesn't take skill to point a gun at someone's head and pull the trigger, but they're still damaged. It takes skill to put them together after that happened.
  
  Patching is easy. Follow the -STABLE branch of your tree, do a make build, and you will be protected from the ssh exploit, apache vuln, and the DNS resolver vuln. I have a pretty shell script that will automate the process for people who run into problems (NOT expected).

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (7)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]