Re: [Cooker] New SSH bug ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > On Tue, 16 Sep 2003, Michael Scherer wrote: > > FYI, I see updates are already on mandrakesecure. Did we beat RH this > time? No, nor Debian (who apparently had advisories and packages out by the time it hit /.). Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/Z4Q+rJK6UGDSBKcRAnyJAKC7zcCaOiOixSG140IS/8gyptPLqgCfRxUm CAe3UwBXmDmcB4l8AywRyOM= =aoJA -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] New SSH bug ?
On Tue, 16 Sep 2003, Michael Scherer wrote: > On Tuesday 16 September 2003 22:15, Jan Ciger wrote: > > Han Boetes wrote: > > | Always fun in the #openbsd channel. Always some people who want to > > | make it seems like the end of the world and the next worldwar. > > > > Ehm, there are reports that it lead to root compromise already, so I > > would execute extreme caution about this one. Considering that SSH is > > on almost every Unix system, this may be a major issue. > > well, after reading the diff > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h > > i see that some memory that shouldn't be freed is freed, thus probably > crashing sshs ( which is annoying, if you do not use ssh_monitor ). > But, i do not see how someone can use this to inject a shellcode, but > maybe time will prove i am wrong. > > > > | The text is very clear though: > > | > > | > > | All versions of OpenSSH's sshd prior to 3.7 contain a buffer > > | management error. It is uncertain whether this error is > > | potentially exploitable, however, we prefer to see bugs > > | fixed proactively. > > > > This just means, that they do not know about the exploit yet :-( Not > > that your machine cannot be compromised. > > the same can be say about any server. > > FYI, I see updates are already on mandrakesecure. Did we beat RH this time? d.
Re: [Cooker] New SSH bug ?
On Tuesday 16 September 2003 22:15, Jan Ciger wrote: > Han Boetes wrote: > | Always fun in the #openbsd channel. Always some people who want to > | make it seems like the end of the world and the next worldwar. > > Ehm, there are reports that it lead to root compromise already, so I > would execute extreme caution about this one. Considering that SSH is > on almost every Unix system, this may be a major issue. well, after reading the diff http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h i see that some memory that shouldn't be freed is freed, thus probably crashing sshs ( which is annoying, if you do not use ssh_monitor ). But, i do not see how someone can use this to inject a shellcode, but maybe time will prove i am wrong. > | The text is very clear though: > | > | > | All versions of OpenSSH's sshd prior to 3.7 contain a buffer > | management error. It is uncertain whether this error is > | potentially exploitable, however, we prefer to see bugs > | fixed proactively. > > This just means, that they do not know about the exploit yet :-( Not > that your machine cannot be compromised. the same can be say about any server. -- Michaƫl Scherer
Re: [Cooker] New SSH bug ?
Jan Ciger <[EMAIL PROTECTED]> wrote: > Han Boetes wrote: > | Always fun in the #openbsd channel. Always some people who want to make > | it seems like the end of the world and the next worldwar. > > Ehm, there are reports that it lead to root compromise already, so I > would execute extreme caution about this one. Considering that SSH is on > almost every Unix system, this may be a major issue. Yeah do spread the hoax. Do not listen to Theo, everyone gotta be in total fear. > | The text is very clear though: > | > | > | All versions of OpenSSH's sshd prior to 3.7 contain a buffer > | management error. It is uncertain whether this error is > | potentially exploitable, however, we prefer to see bugs > | fixed proactively. > > This just means, that they do not know about the exploit yet :-( Not > that your machine cannot be compromised. This means exactly what it means. Not the twist you just spun in your head. Ow you aren't listening anymore. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
Re: [Cooker] New SSH bug ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan Ciger wrote: > Han Boetes wrote: > | Always fun in the #openbsd channel. Always some people who want to make > | it seems like the end of the world and the next worldwar. > > Ehm, there are reports that it lead to root compromise already, so I > would execute extreme caution about this one. Considering that SSH is on > almost every Unix system, this may be a major issue. And if this isn't the vulnerability mentioned in the original thread on full-disclosure, what is (considering IIRC those reports were before the news of the patch was out)?? Vince is working on packages, I am running my own on my 9.0 and 9.1 boxes: http://ranger.dnsalias.com/mandrake/9.1/ http://ranger.dnsalias.com/mandrake/9.0/ > > | > | The text is very clear though: > | > | > | All versions of OpenSSH's sshd prior to 3.7 contain a buffer > | management error. It is uncertain whether this error is > | potentially exploitable, however, we prefer to see bugs > | fixed proactively. > > This just means, that they do not know about the exploit yet :-( Not > that your machine cannot be compromised. Considering that Theo was apparently showing some serious concern over some Cisco and HP? routers running openssh ... I would patch ASAP. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/Z3JErJK6UGDSBKcRAtAiAJ4uMTL2AYAGOP8dwGD64CEVcYM3SQCgyuN/ 9e4hSjhSI+7hg0GJ8srvNmk= =fN0D -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] New SSH bug ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Han Boetes wrote: | Always fun in the #openbsd channel. Always some people who want to make | it seems like the end of the world and the next worldwar. Ehm, there are reports that it lead to root compromise already, so I would execute extreme caution about this one. Considering that SSH is on almost every Unix system, this may be a major issue. | | The text is very clear though: | | | All versions of OpenSSH's sshd prior to 3.7 contain a buffer | management error. It is uncertain whether this error is | potentially exploitable, however, we prefer to see bugs | fixed proactively. This just means, that they do not know about the exploit yet :-( Not that your machine cannot be compromised. Jan - -- Jan Ciger VRlab EPFL Switzerland GPG public key : http://www.keyserver.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/Z29cn11XseNj94gRAt/CAKCn2DhSyayTgPoVPiHayTjRIAGctQCeLw6w 6H6IISlStciLV9kiSCnlMkY= =dhQW -END PGP SIGNATURE-
Re: [Cooker] New SSH bug ?
Jan Ciger <[EMAIL PROTECTED]> wrote: > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html > > Seem that something is going on :-( Always fun in the #openbsd channel. Always some people who want to make it seems like the end of the world and the next worldwar. The text is very clear though: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. Just install the updates like you always did. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
Re: [Cooker] New SSH bug ?
On Tue, 16 Sep 2003 17:55:55 +0200 Jan Ciger <[EMAIL PROTECTED]> wrote: > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html It seems to be fixed in Open SSH 3.7, to be annouced today. For further info in French: http://linuxfr.org/2003/09/16/13952.html -- Olivier Blin
Re: [Cooker] New SSH bug ?
On Tue, Sep 16, 2003 at 05:55:55PM +0200, Jan Ciger wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html > > Seem that something is going on :-( http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940&w=2 This link was posted on slashdot, containing the following: --- [prev in list] [next in list] [prev in thread] [next in thread] List: openbsd-misc Subject: OpenSSH Security Advisory: buffer.adv From: Markus Friedl Date: 2003-09-16 12:32:15 [Download message RAW] This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c === RCS /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- buffer.c26 Jun 2002 08:54:18 - 1.16 +++ buffer.c16 Sep 2003 03:03:47 - 1.17 @@ -69,6 +69,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x10) @@ -98,11 +99,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa0) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa0) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ }