- To: "'slug@xxxxxxxxxxx'" <slug@xxxxxxxxxxx>
- Subject: [SLUG] FW: [ISN] SSH remote root exploit was released
- From: Marty Richards <marty@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu Feb 22 20:41:01 2001
FYI, upgrade/patch now if you haven't already.
Cheers,
Marty
> -----Original Message-----
> From: InfoSec News [SMTP:isn@xxxxxxx]
> Sent: Wednesday, February 21, 2001 8:34 PM
> To: ISN@xxxxxxxxxxxxxxxxx
> Subject: [ISN] SSH remote root exploit was released
>
> ---------- Forwarded message ----------
> Date: Tue, 20 Feb 2001 11:48:39 -0800 (PST)
> From: Tom Perrine <tep@xxxxxxxx>
> To: sysadmin-L@xxxxxxxx, probes-l@xxxxxxxx, sdriw-announcements@xxxxxxxxx,
> outback2-admin@xxxxxxxxxxxxxxx, Pat Wilson <paw@xxxxxxxx>,
> Brian Kantor <brian@xxxxxxxx>
> Subject: SSH remote root exploit was released
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> A claimed exploit for the long-rumored SSHD remote root exploit was
> released on BUGTRAQ about an hour ago. This is the bug in deattack.c
> that allowed a 16-bit numeric overflow :-) (Nobody could do anything
> with 16 bits, could they? :-( )
>
> There is followup dicussion that seems to indicate that this is a real
> exploit.
>
> This was originally reported through various channels about 6-7 Feb,
> and showed up on BUGTRAQ 8 Feb.
>
> There is a claim that Earthlink was "seriously compromised", possibly
> via this exploit. See http://www.cotse.com/2152001.html for details
> (This was reported on ISN this morning.)
>
> Try this URL for the BUGTRAQ summary:
> http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2347
>
> BUGTRAQ claims that all these are vulnerable:
>
> OpenSSH OpenSSH 2.2
> OpenSSH OpenSSH 2.1.1
> OpenSSH OpenSSH 2.1
> OpenSSH OpenSSH 1.2.3
> OpenSSH OpenSSH 1.2.2
> SSH Communications SSH 1.2.31
> SSH Communications SSH 1.2.30
> SSH Communications SSH 1.2.29
> SSH Communications SSH 1.2.28
> SSH Communications SSH 1.2.27
> SSH Communications SSH 1.2.26
> SSH Communications SSH 1.2.25
> SSH Communications SSH 1.2.24
>
> For SSH-1.2.27, the patch is in deattack.c:
>
> *** deattack.c.orig Wed Feb 14 15:59:25 2001
> - --- deattack.c Wed Feb 14 15:59:45 2001
> ***************
> *** 79,85 ****
> detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
> {
> static word16 *h = (word16 *) NULL;
> ! static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> register word32 i, j;
> word32 l;
> register unsigned char *c;
> - --- 79,85 ----
> detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
> {
> static word16 *h = (word16 *) NULL;
> ! static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> register word32 i, j;
> word32 l;
> register unsigned char *c;
>
> Your mileage may vary. For repairs/workarounds other versions of SSH,
> check the BUGTRAQ notice.
>
> "Patch early, patch often."
>
> - --tep
>
> - --
> Tom E. Perrine (tep@xxxxxxxx) | San Diego Supercomputer Center
> http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000
> "Libertarianism is what your mom taught you: 'Behave yourself
> and don't hit your sister."' - Kenneth Bisson of Angola, Ind.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
>
> iQCVAwUBOpLJ/BTSxpWcaAFRAQGBxAQAjpA2Tn/eu+ssKPwSoEIk44KBmBfHMGYj
> Ka6oFafJglVZhGmZ0O/6foepzEoREf6yEl5tOaGj/Kf8aLHcuBTSzkevQHGfGaZh
> 941Da0WT3XSAS8Qk6F0jTxxOD2bG/3bPUGfIxMkQpkJmN/DXxWOd0G+T9dzl1tGB
> e5F4Vo5/eZA=
> =5n69
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------
> The above message comes from the sdriw-announcements mailing list.
> To stop receiving these mailings, send email to majordomo@xxxxxxxxx
> with the line "unsubscribe sdriw-announcements" as the first line
> of the message.
> -------------------------------------------------------------------
>
> ISN is hosted by SecurityFocus.com
> ---
> To unsubscribe email LISTSERV@xxxxxxxxxxxxxxxxx with a message body of
> "SIGNOFF ISN".
SLUG Mailing List Archives