From owner-freebsd-security  Thu Nov 29 11:34:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 64A1137B419
	for <security@FreeBSD.ORG>; Thu, 29 Nov 2001 11:34:47 -0800 (PST)
Received: by gw.nectar.com (Postfix, from userid 1001)
	id 8DEC62F; Thu, 29 Nov 2001 13:34:46 -0600 (CST)
Date: Thu, 29 Nov 2001 13:34:46 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: Brett Glass <brett@lariat.org>
Cc: Kris Kennaway <kris@obsecurity.org>,
	"f.johan.beisser" <jan@caustic.org>, Mauro Dias <localhost@dsgx.org>,
	security@FreeBSD.ORG
Subject: Re: sshd exploit
Message-ID: <20011129133446.A23161@hellblazer.nectar.com>
References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote:
> As Security Officer, have you run the exploit against 4.4-RELEASE to
> see how it behaves and if 4.4-RELEASE is immune? 

As a member  of the FreeBSD Security Officer team,  I have worked with
both the  TESO and x2 exploits.   Neither work against any  version of
OpenSSH later  than 2.2.0, which includes  4.4-RELEASE.  Both programs
attack the CRC detector.

This doesn't prove that there is  not yet another exploit program that
does, but so far we have only rumours.

> This is important, since 
> without a disassembly we do not know whether the exploit attacks this 
> vulnerability or a different (possibly related?) one. 

Who says we don't have a disassembly?  Anyway, one doesn't need one to
determine what the exploit does when  run, or how it affects arbitrary
versions of OpenSSH.

> We also do not know
> if the claimed fix was fully effective against all possible exploits.

We can never know that about this fix or any other, of course.
-- 
Jacques A. Vidrine <n@nectar.com>                   http://www.nectar.com/
NTT/Verio SME           .      FreeBSD UNIX      .        Heimdal Kerberos
jvidrine@verio.net      .   nectar@FreeBSD.org   .           nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message