Full Disclosure mailing list archives

Re: [Rumor] SSH 0-day

From: "Digital Jihad" <auto245326 () hush ai>
Date: Fri, 10 Jul 2009 13:23:30 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is amazing how easily are people convinced. Every time such a
zine surfaces to the public, most "security experts" rush into
conclusions that have nothing to do with reality. Let us get this
straight, everyone talks about the astalavista incident, but no one
tried to assess the facts behind this attack.

A careful reader would have noticed that in the aforementioned
attack logs, the environment variables SSH_CLIENT and
SSH_CONNECTION are set - although censored. That is only possible
after someone has successfully logged into the system. In fact this
can be seen in the OpenSSH source code and specifically in the file
session.c where one can easily find out that these variables (along
with the whole user environment) are set only after fork() is
called and shortly before the shell (or command) is executed, in
do_child() and do_setup_env() respectively.

We know that it is easy for those, who claim to be "security
experts", to make assumptions, but it takes real expertise to
figure out the facts. That is why most of you will never notice the
actual 0day in the source, which _is_ exploitable but not an one-
shot trivial thing.

Kind regards,
Digital Jihad Labs
- --
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkpXFqIACgkQfstF7Qk/eK3SmQP/YXIoB9f1MFsxzHuNsec7F25WRB8B
YdZ7eHp0A/f2H+oHQen31uS0F3M9C3YxK9cu3k79s5HXuQmOyt7mc6nsaqoXX5xm5sAi
vorNyQ0bn756cU8P29rFSiK2XpDkXyeH4275VUCM7QQXXdwuNed+R3d38lLm8lGBSP9X
7IlDyuk=
=25FX
-----END PGP SIGNATURE-----

--
Getting the lowest homeowner insurance rate? Click here to compare quotes from top companies.
http://tagline.hushmail.com/fc/BLSrjkqeRvLyoQFlALkZo9iXo9UJfy3Dztebx56eY2kfeTR7BdPUyswBj7y/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Rumor] SSH 0-day Martin Spinassi (Jul 08)
- Re: [Rumor] SSH 0-day Ben Rosenberg (Jul 08)
- Re: [Rumor] SSH 0-day Anderson Kaiser (Jul 08)
  - Re: [Rumor] SSH 0-day frank^2 (Jul 08)
- <Possible follow-ups>
- Re: [Rumor] SSH 0-day Kaspar Mendev (Jul 09)
  - Re: [Rumor] SSH 0-day James Matthews (Jul 09)
    - Re: [Rumor] SSH 0-day Charles Majola (Jul 09)
    - Re: [Rumor] SSH 0-day Kevin Wilcox (Jul 09)
    - [Rumor] SSH 0-day Kevin Wilcox (Jul 09)
- Re: [Rumor] SSH 0-day Digital Jihad (Jul 10)