From owner-freebsd-security Wed Nov 28 23:40: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 7FD6037B41A for ; Wed, 28 Nov 2001 23:39:48 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 09D8766B27; Wed, 28 Nov 2001 23:39:48 -0800 (PST) Date: Wed, 28 Nov 2001 23:39:47 -0800 From: Kris Kennaway To: Brett Glass Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Re: sshd exploit Message-ID: <20011128233947.C53604@xor.obsecurity.org> References: <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DIOMP1UsTsWJauNi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost>; from brett@lariat.org on Wed, Nov 28, 2001 at 11:04:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DIOMP1UsTsWJauNi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 28, 2001 at 11:04:02PM -0700, Brett Glass wrote: > At 10:52 PM 11/28/2001, f.johan.beisser wrote: >=20 > >how long have you known of it? frankly, this is the first i've heard abo= ut > >it, let alone the exploit binary. >=20 > I reposted a report by Dave Dittrich to this list about two weeks ago. CE= RT > has also had it on its Web page for a while now. To sum it up in a few > sentences: Old versions of SSH have been hacked through the SSHv1 protoco= l, > and the vulnerable code was adopted by OpenSSH, so older versions of that > are vulnerable too. >=20 > My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need= =20 > some of the special integration that's been done in the Ports Collection,= =20 > use the latest version that's there (2.9.something the last time I looked= ). > FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not > sure just when they fixed the problem). Not so much with the Flying Fists of Fud, please Brett. If you'd actually read the CERT advisory you'd see quite clearly that it was fixed over a year ago. Dittrich's analysis also says clearly at the top: On October 6, 2001, intruders originating from network blocks in the Netherlands used an exploit for the crc32 compensation attack detector vulnerability to remotely compromise a Red Hat Linux system on the UW network running OpenSSH 2.1.1. This vulnerability is described in CERT Vulnerability note VU#945216: i.e. old, old, boring, old. Kris --DIOMP1UsTsWJauNi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BeZDWry0BWjoQKURAix/AKCEIQxXSIYiH2b2QCMTu58swzGxJwCglqvF X2l1+5yf3FltP7UQgy0C4lE= =q0F9 -----END PGP SIGNATURE----- --DIOMP1UsTsWJauNi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message