Has anyone around here heard of this ?
---Mike
>Subject: Re: [Full-Disclosure] new ssh exploit?
>From: christopher neitzert <chris@neitzert.com>
>Reply-To: chris@neitzert.com
>To: full-disclosure@lists.netsys.com
>X-Mailer: Ximian Evolution 1.4.3.99
>Sender: full-disclosure-admin@lists.netsys.com
>X-BeenThere: full-disclosure@lists.netsys.com
>X-Mailman-Version: 2.0.12
>List-Unsubscribe:
<http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>
<mailto:full-disclosure-request@lists.netsys.com?subject=unsubscribe>
>List-Id: Discussion of security issues
<full-disclosure.lists.netsys.com>
>List-Post: <mailto:full-disclosure@lists.netsys.com>
>List-Help:
<mailto:full-disclosure-request@lists.netsys.com?subject=help>
>List-Subscribe:
<http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>
<mailto:full-disclosure-request@lists.netsys.com?subject=subscribe>
>List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
>Date: Mon, 15 Sep 2003 13:48:34 -0400
>X-Virus-Scanned: by Sentex Communications (avscan1/20021227)
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>More on this;
>
>The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
>running the latest versions of OpenSSH.
>
>The attack makes an enormous amount of ssh connections and attempts
>various offsets until it finds one that works permitting root login.
>
>I have received numerous messages from folks requesting anonymity or
>direct-off-list-reply confirming this exploit;
>
>The suggestions I have heard are:
>
>Turn off SSH and
>
>1. upgrade to lsh.
>
>or
>
>2. add explicit rules to your edge devices allowing ssh from only-known
>hosts.
>
>or
>
>3. put ssh behind a VPN on RFC-1918 space.
>
>thanks.
>
>
>
>
>On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> > Does anyone know of or have source related to a new, and unpublished
ssh
> > exploit? An ISP I work with has filtered all SSH connections due to
> > several root level incidents involving ssh. Any information is
> > appreciated.
> >
> >
>--
>Christopher Neitzert - GPG Key ID: 7DCC491B
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
On Mon, Sep 15, 2003 at 08:53:56PM -0400, Mike Tancsa wrote:> > Has anyone around here heard of this ? > > ---Mike[..] I think it has just been commited, but not yet disclosed. See the diff in FreeBSD CVS: $ cd /usr/src/crypto/openssh $ cvs diff -r1.1.1.1.2.4 -r1.1.1.7 Index: buffer.c ==================================================================RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.4 retrieving revision 1.1.1.7 diff -r1.1.1.1.2.4 -r1.1.1.7 15c15 < RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $"); ---> RCSID("$OpenBSD: buffer.c,v 1.17 2003/09/16 03:03:47 deraadt Exp $");71a72> u_int newlen;101,102c102,104 < buffer->alloc += len + 32768; < if (buffer->alloc > 0xa00000) ---> > newlen = buffer->alloc + len + 32768; > if (newlen > 0xa00000)104,105c106,108 < buffer->alloc); < buffer->buf = xrealloc(buffer->buf, buffer->alloc); ---> newlen); > buffer->buf = xrealloc(buffer->buf, newlen); > buffer->alloc = newlen;-- ______________________________________________________________________ __ __ / || \ FreeBSD Network - http://www.GomoR.org/ | __ |___/ Security Engineer | || \ \__|| \ >I route, therefore I am<