Re: new sshd vulnerability

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Fri, 26 Oct 2001, Franklin DeMatto wrote:

> all this talk of an sshd vulnerability has made my head spin... are we
> talking about the (old) detect crc attack
> typemismatch->malloc(0)/realloc(0) vulnerability - and just finding a
> decent exploit for this - or has a new sshd vulnerability been
> discovered.  If a new vuln *has* been found, please, speak up, what is
> it and which versions of sshd are vulnerable?


hi frank

its the crc32 compensation attack, but the compensation in the fix was
vulnerable to a very subtle bug. detailed by the illustrious zalewski (at
bindview):

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

from the advisory:

        ** Vulnerable:

                SSH 1.2.24 - 1.2.31 (ssh.com) -- all versions to date of
                release of this advisory

                F-SECURE SSH 1.3.x -- all recent releases

                OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is
                disabled)

                OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH
                derived daemons

         ** Not vulnerable:

                SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations
                with SSH1 fallback support are vulnerable

                OpenSSH 2.3.0 (problem fixed)

                SSH 1.2.32 (ssh.com, released 10/22/2001)

                SSH1 releases prior to 1.2.24 (vulnerable to crc attacks)

                Cisco SSH (own implementation)

                LSH (SSH protocol 1 not supported)

         ** Other SSH daemons: not tested


i hope this helps.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)