SSH remote root exploit was released

---------- Forwarded message ----------
Date: Tue, 20 Feb 2001 11:48:39 -0800 (PST)
From: Tom Perrine <tep_at_SDSC.EDU>
To: sysadmin-L_at_ucsd.edu, probes-l_at_ucsd.edu, sdriw-announcements_at_sdriw.org,
     outback2-admin_at_postal.sdsc.edu, Pat Wilson <paw_at_ucsd.edu>,
     Brian Kantor <brian_at_ucsd.edu>
Subject: SSH remote root exploit was released

-----BEGIN PGP SIGNED MESSAGE-----

A claimed exploit for the long-rumored SSHD remote root exploit was
released on BUGTRAQ about an hour ago. This is the bug in deattack.c
that allowed a 16-bit numeric overflow :-) (Nobody could do anything
with 16 bits, could they? :-( )

There is followup dicussion that seems to indicate that this is a real
exploit.

This was originally reported through various channels about 6-7 Feb,
and showed up on BUGTRAQ 8 Feb.

There is a claim that Earthlink was "seriously compromised", possibly
via this exploit. See http://www.cotse.com/2152001.html for details
(This was reported on ISN this morning.)

Try this URL for the BUGTRAQ summary:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2347

BUGTRAQ claims that all these are vulnerable:

    OpenSSH OpenSSH 2.2
    OpenSSH OpenSSH 2.1.1
    OpenSSH OpenSSH 2.1
    OpenSSH OpenSSH 1.2.3
    OpenSSH OpenSSH 1.2.2
    SSH Communications SSH 1.2.31
    SSH Communications SSH 1.2.30
    SSH Communications SSH 1.2.29
    SSH Communications SSH 1.2.28
    SSH Communications SSH 1.2.27
    SSH Communications SSH 1.2.26
    SSH Communications SSH 1.2.25
    SSH Communications SSH 1.2.24

For SSH-1.2.27, the patch is in deattack.c:

*** deattack.c.orig Wed Feb 14 15:59:25 2001
- --- deattack.c Wed Feb 14 15:59:45 2001
***************
*** 79,85 ****
  detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
  {
    static word16 *h = (word16 *) NULL;
! static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;
- --- 79,85 ----
  detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
  {
    static word16 *h = (word16 *) NULL;
! static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

Your mileage may vary. For repairs/workarounds other versions of SSH,
check the BUGTRAQ notice.

"Patch early, patch often."

- --tep

- --
Tom E. Perrine (tep_at_SDSC.EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000
"Libertarianism is what your mom taught you: 'Behave yourself
and don't hit your sister."' - Kenneth Bisson of Angola, Ind.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface

iQCVAwUBOpLJ/BTSxpWcaAFRAQGBxAQAjpA2Tn/eu+ssKPwSoEIk44KBmBfHMGYj
Ka6oFafJglVZhGmZ0O/6foepzEoREf6yEl5tOaGj/Kf8aLHcuBTSzkevQHGfGaZh
941Da0WT3XSAS8Qk6F0jTxxOD2bG/3bPUGfIxMkQpkJmN/DXxWOd0G+T9dzl1tGB
e5F4Vo5/eZA=
=5n69
-----END PGP SIGNATURE-----

-------------------------------------------------------------------
The above message comes from the sdriw-announcements mailing list.
To stop receiving these mailings, send email to majordomo_at_sdriw.org
with the line "unsubscribe sdriw-announcements" as the first line
of the message.
-------------------------------------------------------------------

ISN is hosted by SecurityFocus.com

---
To unsubscribe email LISTSERV_at_SecurityFocus.com with a message body of
"SIGNOFF ISN".