Hello... I am a student at G?teborgs university who is the system adminstrator in one of the student clubs here. We run about 10 computers with one server. Mainly linux and all run openssh. We have closed telnet so only ssh-connections is allowed. Last night i got a mail from one of the system adminstrators at G?teborgs university saying that there was a possible root exploit in all openssh versions from 2.9.9p2 and below. Shortly after this the universty closed all connections using port 22 (that is how serious they think it is) effectivly making all the machines I am responsible for unable to log on to from the outside. They have looked at the exploit and i'll try to sum it up here. ----------------------- The program is 1.2 MB and is crypted. It gives you a root shell but doesn't seem to do anything stupid. 1.2 MB is a lot of data though... Using strace/truss/gdb etc doesn't result in anything useful so it is a bit hard to say what it really is doing. They have confirmed that : Fsecure 1.2.xx 2.x.xx 3.0.x and Openssh 1.x 2.9p1 2.9.9p2 is vulnerable. Openssh 3.0.1p1 doesn't seem to be vulnerable though. It is called x2 (at least by the people i have talked to). It doesn't seem to be the crc-bu but more somwthing in the line of a buffer overrun during the handshake How to run it? x2 -t1 ip port x2 -t2 ip port x2 -t3 ip port If it asks for a password just: cat key.txt --------------------------- I have searched all the mailinglists but have not been able to find anything linked to this (if i missed something please redirect me). All the data above is NOT tested by me but by other people at the university. I have the exploit (I have not tested it myself though) and can send it for further testing to you if you ask me. Is this a known exploit? Does I miss something? If I did something wrong mailing this mail don't be offended and please tell me how to correct it (it is my first post to this mailing-list) Thanks a lot for a great program Fjutt
On 28 Nov, Fredrik Hultkrantz wrote:> It doesn't seem to be the crc-bu but more somwthing in the line of a > buffer overrun during the handshakeAs far as I can see it is indeed the old bug in deattack.c they try to exploit. At least I could not get the exploit you sent me to report the sshd as vulnerable unless I backed out that old fix. /MaF