OpenSSH Local Root Hole

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

There goes OpenBSDs slogan...

[psychofox]

I take it that their slogan "Four years without a remote hole in the default install!" will not being changed to "Five years without a remote hole in the default install!" then?

Shame...

Re:There goes OpenBSDs slogan...

[TheConfusedOne]

Ummm, RTFP!

It's a LOCAL exploit. You have to be logged in to exploit it.

Re:There goes OpenBSDs slogan...

Perhaps I should point out this is not a *remote* hole, yet. That is what *local* exploit means.

Re:There goes OpenBSDs slogan...

Read->Comprehend->Post

This is (so far) a local hole.

Re:There goes OpenBSDs slogan...

[SonicBurst]

Actually, they may have to backdate that slogan. The problem has existed since version 2.0, so this hole would have existed since whenever they started shipping with at least version 2.0. And by the way, it is local exploit as of yet, however, remote exploitation has not been ruled out.

Re:There goes OpenBSDs slogan...

[prog-guru]

Maybe that will teach them not to install sshd in the base system.

Same goes for telnetd, named, sendmail, etc.

Re:There goes OpenBSDs slogan...

[Chundra]

Ummmm, RTFP!

They aren't ruling out the possibility of a remote exploit.

Re:There goes OpenBSDs slogan...

it's OpenSSH not OpenBSD

Re:There goes OpenBSDs slogan...

[Gabey]

You must be a troll, but for the benefit of others, OpenBSD doesn't install telnetd, named, or sendmail by default.

Re:There goes OpenBSDs slogan...

I'm afraid it does install them.

It does not run them by default.

Heaps of difference.

And BTW, this can make sense, like,
telnet+KerberosV is probably not insecure, just a bit hard to configure.

Re:There goes OpenBSDs slogan...

[SweetAndSourJesus]

Therefore you should not rule in the possibility that it's remote.

Re:There goes OpenBSDs slogan...

thats good, because i heard... that BSD is dying!!!

Re:There goes OpenBSDs slogan...

Hopefully this is only locally exploitable...

OpenBSD certainly hasn't been nor is it free of local exploits.

Re:There goes OpenBSDs slogan...

They are installed. Telnetd and named are not turned on and sendmail is turned on in a localhost only configuration.

Sorry!

Re:There goes OpenBSDs slogan...

[Mordac+the+Preventer]

"Four years without a remote hole in the default install!"

Is ssh server enabled in the default install? I would think (hope) not - You don't want to run services that you do not need, and does a workstation need sshd?

Re:There goes OpenBSDs slogan...

[slpalmer]

OpenBSD doesn't install telnetd, named, or sendmail by default.

That's funny, I just did a base install of OpenBSD 3.0 about 4 days ago for my firewall, and it included sendmail and bind4 in the default install. Sendmail was running, bind was not.

Stephen L. Palmer

Re:There goes OpenBSDs slogan...

Yes, and OpenBSD is generally used for workstations, not servers.

Are you English or retarded?

Re:There goes OpenBSDs slogan...

OpenSSH in NOT enabled in the default install. Freaking linux people want that off that front page soooo bad.

Re:There goes OpenBSDs slogan...

[night-shade]

however if you make the effort to look you'll find that sendmail is only listening on loca loopback 127.0.0.1 (lo in linux speak)

Re:There goes OpenBSDs slogan...

Yes it is.

Re:There goes OpenBSDs slogan...

[maeglin]

OpenSSH in NOT enabled in the default install.

Yes it is.. I just installed it two weeks ago and when I was done I ssh'd into the newly created machine. It never asked me if I wanted it.

It even allows remote root login (it strongly advises otherwise, but it allows it).

dan

Re:There goes OpenBSDs slogan...

[segmond]

In theory everything is possible, until someone demonstrates that possiblity in reality. OpenBSD is still right with her claim.

Re:There goes OpenBSDs slogan...

[ncc74656]

Is ssh server enabled in the default install? I would think (hope) not - You don't want to run services that you do not need, and does a workstation need sshd?

How else are you going to do remote maintenance on it? What are you going to use for remote access to your stuff? You sure as hell don't want to use telnet.

(If you think you'll never need remote access, though, you can leave it out. As for me, I like the ability to tap into my home machines anywhere I can run SSH and VNC. I even have Win32 SSH and VNC clients on my webserver that I can download on a random Win32 box (even many public systems) to access my systems (both Linux and Win32) at home.)

Re:There goes OpenBSDs slogan...

[slpalmer]

you'll find that sendmail is only listening on loca loopback 127.0.0.1

True, but the main point I was attempting to make was that these things are indeed included in the "default installation".

ie:
root on smaug:~ % ls -l /usr/libexec/telnetd
-r-xr-xr-x 1 root bin 90112 Oct 18 15:26 /usr/libexec/telnetd
root on smaug:~ % uname -a
OpenBSD smaug.midearth.org 3.0 GENERIC#0 i386
root on smaug:~ % ls -l /usr/sbin/named
-r-xr-xr-x 1 root bin 151552 Oct 18 15:27 /usr/sbin/named

Re:There goes OpenBSDs slogan...

Are you sure. 2.7 only had auth and some other irrelevant thing listening.

Re:There goes OpenBSDs slogan...

Make your own brain to think......

Re:There goes OpenBSDs slogan...

[Amon+Re]

I remember OpenSSH having a remote exploit within the last couple of years, so that statement on there site is a lie.

Re:There goes OpenBSDs slogan...

[someonehasmyname]

You are totally correct. openSSH, and portmap for sure.. I want to say sendmail is also enabled..? I use FreeBSD mostly, so I'm not 100% sure.

Re:There goes OpenBSDs slogan...

there is no way sendmail is enabled on default install.

Re:There goes OpenBSDs slogan...

You are going to have to be more specific than that.

Openssh is used on many platforms and not all of them will suffer from the same exploit issues.

4 years without a remote hole in the default install is still valid.

Re:There goes OpenBSDs slogan...

[briosa]

How can something like this make its way into OpenSSH?! Off-by-one? It might be a common error to make, but I would think that people writing security software would constantly be thinking to themselves about the consequences of these kinds of errors. It's also a real bonehead mistake. Everyone knows that to iterative over an array of n elements, you do this: for(i = 0; i arraySize) { error(); } else { ... } I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I loop over arrays I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece of security software. How completely embarrassing. Briosa.

Re:There goes OpenBSDs slogan...

sendmail in the default install only accepts connections from the loopback device

Re:There goes OpenBSDs slogan...

[tzanger]

OpenBSD is still right with her claim.

I don't think so... IIRC there was a remote root exploit in ssh < 3.0p1 which caused me to update my systems, and now this.

Re:There goes OpenBSDs slogan...

[Chundra]

Everyone knows that to iterative over an array of n elements, you do this: for(i = 0; i arraySize) { error(); } else { ... }

Reeeeeeeeeeally? In what language?

How can someone like you have the nerve to criticize the OpenSSH guys?! Missing '<' and '>' in such a critical spot! Jeez! It might be a common error to make, but I would think people trying to illustrate the incompetance of a talented security software coder making a minor mistake would constantly be thinking to themselves about the consequences of these kinds of trivial syntactic errors. It's also a real bonehead mistake. Everyone knows that you use & lt ; and & gt ; in HTML to get the '<' and '>' symbols. I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I use '<' or '>' to illustrate how stupid someone else is (when they're trying to illustrate how stupid someone else is) I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece like this. How completely, and totally embarrassing for you, Briosa.

Re:There goes OpenBSDs slogan...

this is a linux-only vulnerability exploitable
only under certain conditions, you troll...

shame on you...

Re:There goes OpenBSDs slogan...

[Florian+Weimer]

This is not a local exploit. And didn't OpenBSD ship vulnerable SSH server implementations (with the CRC32 attack decompensator buffer overflow)?

Re:There goes OpenBSDs slogan...

[Fjord]

Why does every workstation need remote maintenance?

I can see the benefit of adding ssh to some workstations, but not enough to make it part of the default install. I too find my ssh access to my home machine beneficial (although it's a headless server), but I don't blame debian for having me go in and install it.

Re:There goes OpenBSDs slogan...

That was truly beautiful.

Re:There goes OpenBSDs slogan...

[Tuzanor]

sendmail is enabled by default, but listens only on loopback...

Re:There goes OpenBSDs slogan...

[kz45]

I remember OpenSSH having a remote exploit within the last couple of years, so that statement on there site is a lie.

I want to sound like a troll here, but I thought the benefit of Open Source Software was that there are "hundreds of eyes checking the code for bugs" and the ability for "anyone to fix a security flaw".

If im going to have the same amount of bugs in it that a closed source project has, what's the point? (besides ideals).

BTW. Another firm example of this is PHP (which slashdot has neglected to even cover). A remote exploit in all previous versions that allows anyone to execute code on an affected system. Something as bad as code red could easily start propagating through peoples' systems.

Re:There goes OpenBSDs slogan...

[Wakko+Warner]

You must be a troll, but for the benefit of others, OpenBSD doesn't install telnetd, named, or sendmail by default.

Then what the hell good is their claim? Wow, yeah, there's no remote hole because we don't fucking enable anything that accepts remote connections. OpenBSD's claim is as empty as its feature set.

-A.P.

Re:There goes OpenBSDs slogan...

I have a box running OpenBSD that has never had a monitor or keyboard attached to it. Boy am I ever glad sshd is installed by default. :P

It would be stupid NOT TO install sshd, because remote login is pretty standard for any UNIX. IIRC, it's the only daemon that's enabled by default.

Re:There goes OpenBSDs slogan...

If im going to have the same amount of bugs in it that a closed source project has, what's the point? (besides ideals).

People find them and fix them faster.

OpenBSD in particular has done lots of auditing. It's pretty bullet-proof. Yes, there have been flaws. The flaws were fixed. Would you rather run Solaris and they won't even tell you the flaws exist, even when they do know, let alone fix them?

Re:There goes OpenBSDs slogan...

[prog-guru]

Actually, if the channels.c code is used in the client progs, then isn't there still a bug? Then if ssh is setuid root, I don't remember if OpenBSD's was, then it is a root hole. If you run the ssh client as root then that would also be true.

The point is a base system should be minimal, then install networking tools if you need them.

Re:There goes OpenBSDs slogan...

PHP exploit was nowhere as bad as IIS remote hole that code red uses, it was in file upload code, most people probably don't have any file upload stuff done in php, and certainly not automagically right after installation of web server.

Re:There goes OpenBSDs slogan...

[Clived]

Wow ! All these anonymous postings sounding like trolls. I installed OPenSSH3.1p1, in less time than it took to read all the posts in this thread. My point is, an exploit was discovered, a solution was offered, we move on from there. It's the OpenSource way, got it ?

My two bits

Re:There goes OpenBSDs slogan...

[Fjord]

Ok, but that isn't a workstation, obviously.

More Proof

[SquierStrat]

This is just more proof that nothing is 100% secure. :-) How does that saying go, if it can be devise it what? Some want to finish that for me?

Regardless of that though, I get on my knees and thank God everyday for SSH. It's saved me many many many hassles from simply forgetting to turn it off on computers on my home's network.

Re:More Proof

Does it bother anyone else that the last THREE releases of OpenSSH were because of discovered holes? Not very encouraging from a group of induhviduals who like to pride themselves (and very loudly at that) on security.

Re:More Proof

[SquierStrat]

I'm sure it's more than the last three. Really, how many new features does SSH need? Bugs in an application of this type that is as mature as SSH tend to be security related. It actually makes me feel better that they're quickly responding to security bugs and doing new releases because of it.

Re:More Proof

As opposed to what? Many upgrades and versions are due to security fixes.

OpenSSH is not new, but relative to the full stream of new applications written and introduced in the world, for the time it's been out, has far less security holes than most of them. And BECAUSE a loud, proudful group writes it, it's always under scrutiny. And it's under far more scrutiny BECAUSE it's written by that loud, proudful group. And probably a fairly widely used application, causing even more scrutiny.

The argument is no difference than some linux advocates stating security fixes are found on linux regularly due to it's increased usage, type of community, and new code segments being introduced regularly.

Keep things in perspective before you try to slam something.

Full disclosure = annoying.

[Vincepb]

Yay!
Now we get another bunch of worms scanning the whole net for vulnerable boxes so they can make DDoS nets!
Thank god for full disclosure!

*gags*

Vince.

Re:Full disclosure = annoying.

[bill0r]

Come on, spell with me, L-O-C-A-L

Re:Full disclosure = annoying.

[SquierStrat]

Script kiddiesprobably has known about this for a while. Full diclosure is not only a way to get the word out so that it can be quickly patched (which apparently it already is) but also a way to kind of force people into an upgrade. That way no one with an old version of ssh is sitting there being unknowingly used for DDOS attacks because they didn't know he needed to upgrade.

Full disclosure has its downsides,but the upsides pretty much cancel them out.

Re:Full disclosure = annoying.

This isn't flaimbait. I do wish moderators would atleast BORROW a clue before they spend their mod points.

The original poster pointed out a result of this (soon to be remote, no doubt) SSH vulnerability.

Go smoke a cock.

Re:Full disclosure = annoying.

[Vincepb]

Full disclosure is where the script kiddies get their tools.
Now this is public knowledge, an exploit will be available within hours.

There is a difference between the people who discover vulnerabilities and those who browse security-focus for them.

This should have been fixed before it was announced, and a period of time waited for people to upgrade.

There isn't even a fixed version available for multiple platforms yet, ffs.

Vince.

Re:Full disclosure = annoying.

[Sarin]

Nah they don't.;) But I'm working on exploit code as we speak.

Re:Full disclosure = annoying.

[Vincepb]

Please read the articles before posting.
A remote exploit has not been ruled out.
Chances are, one will be available shortly to the general public and script kiddie scenes.

Vince.

Re:Full disclosure = annoying.

[SquierStrat]

I'm going to disagree. Script kiddies don't look at security focus, they go looking for things to exploit the vulnerabilities written by well skills hackers/crackers. If they waiting any amount of time to upgrade, the only people who would have upgraded would have been people like me who download and install the latest version of EVERYTHING just because they can. The people with the bandwidth that need to upgrade wouldn't do it, because they can't afford the service outage. With full disclosure they'll be more or less forced into upgrading. I'm sure the multi-platform release will be done in a few hours also.

Re:Full disclosure = annoying.

[Vincepb]

Please don't post to bugsmaq when you're done. =p
We really don't need more smart-enough-to-be-dangerous script kiddies armed with other peoples code causing more mayhem.

Vince.

Re:Full disclosure = annoying.

sung to the mickey mouse tune:

L O C
A L L
Y ex ploit a bleee

Re:Full disclosure = annoying.

[gehirntot]

Full disclosure is where the script kiddies get their tools.
Now this is public knowledge, an exploit will be available within hours.
You do not know what you are talking about. Full disclosure has greatly improved security awareness and turn around time for fixes. If you want to turn your back on full disclosure, you are heading back into the middle-ages of computer security.

This should have been fixed before it was announced, and a period of time waited for people to upgrade.
The information was leaked by someone who jumped the gun. That is the reason why the relase and advisory happened today instead of Monday. Nothing to be done about it. Instead of bitching, fix a bug in your operating system and send a patch to the developers. Much more useful behaviour for all of us.

Of course, you should be running with ln -s AJ /etc/malloc.conf anyway. It will fill freed memory with junk, and quite often finds conditions where memory is referenced after it has been freed. In that case, there is no problem anyway. If your operating system of choice has not support for malloc debugging, looby your developers, it is a very useful feature.

Re:Full disclosure = annoying.

[Vincepb]

Script kiddies are the scavengers who feed off of other peoples code.
A great place to get this code is secfocus.

As for what you say about bandwidth being relative to upgrades... Well. Explain the previous worms and DDoS nets? Not everyone gives a fuck. Not everyone will be bothered to upgrade. Some people don't even know how...

Vince.

Re:Full disclosure = annoying.

[Vincepb]

Please take a look at http://anti.security.is when you have some spare time.

In particular:

Q: What's wrong with full disclosure?
A: Full disclosure attempts to contradict the saying "two wrongs don't make a right" in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example: An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn't end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure!

Vince.

Re:Full disclosure = annoying.

you are overhasty and underinformed.
overhasty and underinformed
overhasty and underinformed
overhasty and underinformed
(that's me waiting for assdot to tell me it's okay to post:terminal echo.........)

Re:Full disclosure = annoying.

[gehirntot]

Please take a look at http://anti.security.is when you have some spare time.
anti.security.is is a place for disinformation. Everybody knows that. Just try to follow their arguments, and you will see that it is not sound. With an incorrect premiss, you can derive whatever you like.

Besides, the cycle that they are describing is exactly how security research works. People who fix, and people who break. Working together to improve your security.

Re:Full disclosure = annoying.

[SquierStrat]

If you had a T-1, I'm sure you know how. Since when does security focus distribute exploit code? Script kiddies scavenge ready made exploits, Security Focus doesn't provide that.

Re:Full disclosure = annoying.

[andy@petdance.com]

This should have been fixed before it was announced, and a period of time waited for people to upgrade.

If it's fixed, then that in itself announces what the fix is. Just do a diff between vN and vN+1 and see what changed. "Hey, look, it's a buffer overrun they fixed."

Security through obscurity is no security.

Re:Full disclosure = annoying.

[Vincepb]

If someone ran the T1 themselves, yes it's likely they would be capable of upgrading.

What about dedicated servers?
99 bucks a month. rackshack.net.
They can put out a couple mbps each. How many vulnerable machines do you think are going to remain on that network alone because of clueless users?

It's not as cut and dry as you might think.
And yes, secfocus does distribute code, when code is available.

Vince.

Re:Full disclosure = annoying.

[seek31337]

Uhm, You're obvously security unclued... this is only exploitable by people with access to your machine. a 'worm' would not work.

Don't get mad at the security community for your lack of understanding on how to admin a machine. Everyone gets hacked sometime, it's your responsability to make sure it's not on your watch.

Re:Full disclosure = annoying.

[SquierStrat]

How many clueless users are going to a) have a dedicate server and b) be using ssh in the first place?

Re:Full disclosure = annoying.

[Vincepb]

Okay - Forget the link, and just read the section from the FAQ that I posted.

It makes sense to me, atleast. :)

Vince.

Re:Full disclosure = annoying.

[Vincepb]

A hell of a lot.
(I'm in the webhosting business myself...)

Vince.

Re:Full disclosure = annoying.

[Vincepb]

Please read the article.
A remote exploit has not been ruled out.
As of now, a local exploit isn't even confirmed, since there is no concept code.

Vince.

Re:Full disclosure = annoying.

[SquierStrat]

Well then you should be responsible enough to tell you users they need to upgrade and/or to do it for them. It's not that difficult, my little brother and sister do it all the time for me in linux when I'm away. I just say type this and this and this and ttyl. Not very difficult. But truly, how many of them use SSH? I somehow don't buy that absolutely clueless people are using some like SSH. The two are mutually exclusive it would seem to me.

Re:Full disclosure = annoying.

[markov_chain]

I would argue that there *is* a maximum version number-- let's call it v100 to denote 100% security. By "security" I necessarily mean technical security from remote attacks, ignoring various shortcuts using social engineering, physical access, etc. A secure protocol based on public key crypto without bugs would be 99% secure, to account for the remote possibility of finding efficient ways to reconstruct private keys.

Now take an implementation with (presumably) many bugs, such as OpenSSH, that is, say, 50% secure. The sooner the trivial engineering bugs can be fixed, the sooner the implementation will be 99% secure, at which point the only hope of compromising its security is in some unpredictable breakthrough in mathematics. This is why the armor-piercing bullet arms race argument doesn't make sense to me. Sooner or later it is bound to reach a limit which can only be surpassed with revolutionary advances.

I don't think full disclosure is really important in this process; instead, open source is what makes it possible to find bugs early. In fact, open source implies full disclosure-- without bugtraq or whatever, you can imagine downloading each new version of SSH and looking at diffs to deduce what bugs got fixed.

Re:Full disclosure = annoying.

[Vincepb]

Well, all of the machines WE run of course will be upgraded. Automatically, since we run an auto-update system...

But rackshack.net (sticking with my example) provide unmanaged services. This means their users are on their own.

Also; once you have a couple hundred clients with a machine each, upgrading for them, or walking them through the process, or even ensuring they all actually do so, becomes very difficult.
And I'm sure they have many more than a couple hundred.

Also - Theres a difference between SSH running, and using SSH. Stupid users may never use SSH, but SSH will likely still be running on the machine. (Depending on distro, etc. But mostly RedHat 7.x's and Cobalt, which both have SSH enabled by default).

Vince.

Re:Full disclosure = annoying.

[fire-eyes]

Okay, you can have the alternative of not being told immediately and some of your systems being owned. Have fun.

Re:Full disclosure = annoying.

[Vincepb]

So, armour is revolutionized and becomes 99% unpiercable.
Next, ammo is revolutionized, and pierces every shot.

Rinse, repeat.

We had a mathematics breakthrough recently that made public key crypto shorter than 4k bits almost trivial to crack. I think it was on Slashdot, but I don't remember any links... Either way, the revolution was made, and a lot of encryption is no longer providing the protection it should.

So, now we use 4k bit encryption or higher. What happens when that becomes trivially cracked?
8k bit? 128k bit?

Thats the problem, the weapons makers know the specifications, EXACTLY, of the defence mechanisms.

Unfortunately you are correct, Open Source itself promotes full disclosure, which is part of whats so annoying... Open Source rocks. But full disclosure doesn't. Thems the breaks I guess?

Vince.

Re:Full disclosure = annoying.

[Vincepb]

I would prefer knowing there was a new release of SSH. A maintenance release.
10-15 days later, an announcement that this release was due to a vulnerability found should be released.

NO more detail than that.
NO patch. NO post to bugtraq. NO exploit code.

That would provide adequate security with minimum damage.

Vince.

Re:Full disclosure = annoying.

[PFAK]

Most OS's have SSH installed by default now, I can name a few - FreeBSD, OpenBSD, Redhat, Cobalt, NetBSD, Slackware, etc. And newbies won't know how to update it, or not even know its running on their machine. Kinda dangerous don't you think? At least this bug is apparentley not expolitable remotley, which makes it not as bad. But still, if your running a shell box; ya better upgrade quick.

Re:Full disclosure = annoying.

[bluebomber]

An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests.

Alternatives to wearing bullet-proof vests:

1. Get your own fucking gun and shoot the SOB.
2. Armored vehicle.
3. Stay home.

Your analogy doesn't make sense. Finding a root-exploitable weakness in v1 isn't the same as developing an armor-piercing bullet.

Re:Full disclosure = annoying.

[markov_chain]

Sure, the story was posted here. However, this is a case where the full disclosure argument starts to apply to scientific breakthroughs-- which come from a community fairly disjoint from the community of developers and engineers. Arguing not to disclose scientific achievements is going to be a hard case indeed =)

Re:Full disclosure = annoying.

apt-get update && apt-get upgrade in the root cron.daily should fix any machines you have. just drop it in *before* you hand over control to your clueless users.

Re:Full disclosure = annoying.

What about a worm thats starts on a rooted machine, logs keystrokes and ssh server version strings on outgoing ssh connects.

It would then use the gained info to log into to the remote machine, install rootpkit, and install itself.

Ummm....

Re:Full disclosure = annoying.

[Florian+Weimer]

This is not full disclosure. Details on how to exploit this vulnerability have not been released yet. In fact, I wouldn't have thought that this off-by-one error is exploitable.

Of course, this makes it more complicated to determine whether only authenticated users can exploit it. (I think so, because channel message processing starts only after authentication.)

Re:Full disclosure = annoying.

[arkanes]

If you feel this way, why are you using OpenSSH? Go with a closed source implementation where that's exactly what you'll get - no documentation, no posts, no exploit code. Also no updates, unless they feel like it.

Re:Full disclosure = annoying.

[devnullify]

Sometimes it's just not that easy. Somehow I find it hard to believe that a majority of these clueless users is running Debian, probably RH and Cobalt mostly (both based off the same code...). For the rest of us, apt-get is fine if you use Debian, but if you can figure out Debian's horrid package system, I'm sure you can install SSH from source. RH does have up2date (I'm assuming Cobalt does too), but it'll probably be a week or two before any of these package databases are update. Debian may be an exception, I only use it for a workstation running no services at all so I don't know how fast they update it, RH however seems to be quite slow in releasing new binaries/binary patches for distros. In comparison to M$ though it's nothing. This comment also completely ignores the fact that alot of people who are partially clueless may have had their box setup by someone else, or been helped through a source install, regardless of distro. (I've personally helped 4 or 5 people in the office install SSH, of course I'll notify them of this 'sploit however) This is the biggest problem I have with packages and binary distros, whatever package system is implemented becomes useless the moment you install from source, and often will in fact BREAK the php/apache setup you had working so well when it tries to update a package you forgot to exclude.

Re:Full disclosure = annoying.

[Caspuh]

Instead, just share it with your buddies so we won't know what hit us.

Re:Full disclosure = annoying.

[kz45]

You do not know what you are talking about. Full disclosure has greatly improved security awareness and turn around time for fixes. If you want to turn your back on full disclosure, you are heading back into the middle-ages of computer security.

Full disclosure is a good thing (from the patch aspect), however, it is the sole reason for the large amount of script kiddies on the internet today.

It also decreases joe computer user X's security. (the one that never patches his system, and believe me there are a lot).

Re:Full disclosure = annoying.

[kz45]

I don't think full disclosure is really important in this process; instead, open source is what makes it possible to find bugs early. In fact, open source implies full disclosure-- without bugtraq or whatever, you can imagine downloading each new version of SSH and looking at diffs to deduce what bugs got fixed

This only works to a point. If this was a successful approach, a bug in OpenSSH and or PHP would have been found months ago.

It seems to me to takes just as long as proprietary models.

Re:Full disclosure = annoying.

[kz45]

Instead, just share it with your buddies so we won't know what hit us

I think full disclosure of a flaw should only be given to the person that is going to fix it. Why does anyone else really need it (if not for malicious intent).

Re:Full disclosure = annoying.

[Caspuh]

So you're just going to trust that they fixed it?

Re:Full disclosure = annoying.

[kz45]

So you're just going to trust that they fixed it?

They wrote it. If im using it, I have already given them a certain amount of trust.

Re:Full disclosure = annoying.

a remote exploit is impossible. rtfs you morons,
you can't even get to that code until after authentication has succeeded.

and it's not a buffer overflow, it's a bad heap reference you need to rely on the behaviour of free() to exploit - if you enable malloc debugging on any of the BSDs (ln -s AJ /etc/malloc.conf), this bug is unexploitable.

i can't believe i'm even bothering to post this.

Re:Full disclosure = annoying.

[SquierStrat]

To be honest,that's a bunch of crap. You should always assume the lowest amount of trust in an application's security, especially applications of this nature. If they didn't tell me what was wrong, I wouldn't believe for a second that they fixed it.

linux patch available

[Asgard]

So when does 3.1p (portable -- for other OS's) become available?

Re:linux patch available

[MrDingDong]

Its out there - at least on ftp.openssh.com. I built and installed 3.1p1 a couple of hours ago on Linux.

Re:linux patch available

[Asgard]

Looks like it is already availble in tarball and RH72 RPM format.

Re:linux patch available

Yes, it's out there, but the packaged SRPM is relatively useless for anyone in a server environment. It has a number of dependencies on X and gnome crap that is unlikely to be installed on non-desktop machines.

I suppose I can do things the old fashioned way with the tarball, but was hoping for an easy way out. 8-)

Re:linux patch available

[Graspee_Leemoor]

Why the fuck does openssh have X and gnome deps ? I don't disbelive you, but I am too lazy to
download and read the source.

graspee

Re:linux patch available

The patch consists of adding one character in one file. Do it yourself you big baby.

Re:I submitted this earlier and it was rejected

Sheesh, dude, get a life. The one that was posted probably came in earlier (or had better details).

Commercial SSH

[Stavr0]

Does the same issue exist in Commercial SSH? The advisory makes no mention of it.

I assume it wouldn't be as it's on a different code base, then again 'assume means making an ASS out of U and ME'

Re:Commercial SSH

[jonnythan]

If you look at the patch, it's an error in the for loop.. a > instead of a >=.

If the same error existed in Commercial SSH, someone stole some code.

Re:Commercial SSH

No
Professional software engineers wouldn't make such mistakes.

Re:Commercial SSH

[zulux]

If the same error existed in Commercial SSH, someone stole some code.

Not nesessarly true: OpenSSH and Commercial SSH have the same roots - http://www.openssh.com/history.html

Re:Commercial SSH

[snowpuppy]

SSH Communications has it's own security issues.

Check out: SSH Advisories

I wonder if they produced a fix as fast as OpenSSH did.

Snowdog

Re:Commercial SSH

[Corgha]

Does the same issue exist in Commercial SSH?

A cursory glance through the code just now did not turn up anything.

However, even if an off-by-one error *did* exist in some function analogous to channel_lookup, the ssh2 binary is not setuid in the ssh.com version, so my guess is that a similar programmer error in the ssh2 code could not lead to an escalation of privileges (except perhaps by a malicious server getting your local privileges, but that's a different matter entirely).

The hostkey signing in ssh.com's ssh is handled by a separate setuid binary, ssh-signer2, which doesn't have anything to do with channels (not that it couldn't have other bugs, but it does have the advantage of having a smaller codebase to audit).

Note that I actually use both OpenSSH and ssh.com, so don't try to drag me into some flamewar about which one is "better." They each have their advantages and disadvantages. If you want to trash anyone, trash F-Secure; they really suck.

Is ssh enabled by default?

Been too long since I did an install. If ssh isn't enabled in the default install, then the claim still stands.

Re:I submitted this earlier and it was rejected

[SouthSideMike]

Who cares, it's not like you get paid for every submission that gets accepted.

I don't think so.

[Penguinoflight]

Most worms scan for nt and ISS. I get like 100 a week trying to load NT files, and I'm running Apache on Linux. The hacker world would rather beat more simple targets like Windows than go for something complicated like SSH on Linux.

Re:I don't think so.

[SupremeChalupa]

It's attiitudes like this that lead to lax security. Admins who assume _their_ systems are safe because of their obscure/complex/godlike admin/open source/etc. status are just asking for it. Why do you think IIS is so vulnerable? Because admins think they don't need to worry about it. Don't lump yourself in with this crowd, it's a bad thing.

Re:I don't think so.

[Sobrique]

ISS? Isn't that a space station?

Re:I don't think so.

[Alioth]

The hacker world would rather beat more simple targets like Windows than go for something complicated like SSH on Linux.

Don't bet on it. A while back, for kicks, I checked to see who was bombarding what ports on my box with attempted hacks. A large portion of them came from 0wn3d Linux systems. I'm just glad that (a) I kept things patched (b) didn't have a default RedHat install and (c) had a MIPS processor that obfuscated any hole I didn't yet know about.

If you don't patch a potentially remote-root hole, it's not a case of "if". It's a case of "when" you'll be 0wn3d.

Re:I don't think so.

[Penguinoflight]

I don't use RedHat at all, I use Slackware which hasn't had a major security hole in more time than I've been using it. How do you know the attempted hacks were 0wn3d machines? How would your MIPS processor help against security holes? From what I understand Irix is fairly insecure, or at least was in the past.

Re:I don't think so.

[Alioth]

Well, for any attempt on my box from a machine where I could trace someone responsible, I'd email them. I often got "Thanks, yes we were owned" replies, or replies from sysadmins telling me "I told that idiot to secure his RedHat box three months ago" kind of thing.

Also, hack attempts from systems that have reverse DNS entries like "ns1.foo.com" or "smtp.bar.net" are almost certainly 0wn3d machines - it's unlikely that a legitimate user is using those boxes as hack-launch platforms. I got a surprisingly large number attempts on my box from machines like that.

Then there were the hundreds of Linux systems on RoadRunner, @home etc. which were more than likely 0wn3d boxes (because rr.com and @home tend to kick people off for hacking, so it's unlikely the box owner was aware of what was going on).

Some attacks were undoubtedly done by the machine owner, but a large volume really was from 0wn3d Linux and Solaris systems.

As for the MIPS system, it doesn't run Irix. It's Linux on a MIPS system - and therefore reasonably obscure. Don't get me wrong - I do take security very seriously and I upgraded OpenSSH on this box as well as on the Intel machine - you never know who's lurking out there looking for any chink in your armour. Most skript kiddie tools are aimed squarely at the ubiquitous - Linux on Intel (or AMD). That's not to say that there's NOT someone out there targetting Linux/MIPS, but there are many orders of magnitude of attacks aimed at the Intel boxes.

Re:I don't think so.

[kz45]

The hacker world would rather beat more simple targets like Windows than go for something complicated like SSH on Linux

not true. Hackers go for all Opersting Systems and all flavors. People who write worms only aim at one. Here is why:

why infect 1% of the worlds computer population, when you can infect 99? (if linux was as popular as windows, there would be just as many worms created for it.) Also, most people of the hacker world hate microsoft.

with the latest php scare, I wouldn't be surprised of someone wrote a worm....

remote hack?

[oo7tushar]

not to people, the debian packages have not yet been updated so your best bet is to download (like a real penguin) and install yourself (but only if you want to be a penguin, they dress well)

Re:remote hack?

Have the debian packages been upgraded since OpenSSH 2.4? Doesn't really matter to me - I'm probably going to trash my Debian machine and put Slackware on it - debian just moves too slow to be useful - I really don't want to install a system then spend 4 days updating the system from the ground up so I can install a new SSH. Bleh.

Re:I submitted this earlier and it was rejected

i never submit because i can't stand the pain of rejection.

Correction: off-by-one

[MarkusQ]

Seems as though its a one-off error

One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.

Off-by-one error: An error in enumeration, such as starting or ending a count at the wrong value (e.g. 0 vs. 1), counting the starting/ending value in a cycle twice or not at all (e.g. in counting a group of people which includes yourself), counting delimiters as opposed to the items delimited (e.g. the "fence post" problem), or any analogous error.

These are rather different! When I read the abstract my first thought was "how can they determine that?"

-- MarkusQ

Re:Correction: off-by-one

[mcelrath]

One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.

Shouldn't that be one-of? As in: "we only created one of them".

-- Bob

Re:Correction: off-by-one

[ThatComputerGuy]

But "what we created is a one-off."

Re:Correction: off-by-one

[room101]

That's all true, but people still say "one-off error" to mean "off-by-one error".

When I got my second job, and I first heard someone use "one-off" by your definition, I was stumped. It just depends on your background what people tend to say. Although, "off-by-one error" is more descriptive.

Re:Correction: off-by-one

My nitpicking alarm just sounded.
Time to ease off the caffeine and hit
the liquor store pal.

Re:Correction: off-by-one

[MarkusQ]

My nitpicking alarm just sounded. Time to ease off the caffeine and hit the liquor store pal.

*laugh* I think if I did that it would set off several other people's alarms. But I suspect you have a point about the caffine.

-- MarkusQ

Re:Correction: off-by-one

[Cardhore]

Time and time again the same exact off-by-one bug is made again and again in C and C++ programs. This is a design specific to C and C++ and Java, in which the first item in an array is accessed with an index of 0 (as opposed to 1 which is more intuitive). So the fifth element in an array is accessed with array[4]. The first element array[0] is accessed with the index 0. The second element is accessed with the index 1! No wonder this bug happens again and again.

Re:Correction: off-by-one

[Ark42]

Whatever, jock, no real programmer would seriously think 1-based arrays are the most intuitive.

Re:Correction: off-by-one

go back to the land of fortran or smalltalk, buddy, nobody else has problems with 0-based array indexing

Re:Correction: off-by-one

[Troed]

Oh please .. it's not exactly Joe Doe who's writing software. Starting from 0 is _intuitive_ for me as a software developer. The offset 0 into something is, exactly, the first value.

Re:Correction: off-by-one

[Dwonis]

Sigh. The subscript of an array is the offset from its starting address.

OpenSSH site already updated?

[Noryungi]

Here is what can be found on their web site:

"OpenSSH 3.1 released March 7, 2002."

Hmmm... That was quick! Especially since the advisory reads:

Pine Internet Security Advisory

Advisory ID : PINE-CERT-20020301
Authors : Joost Pol
Issue date : 2002-03-07
Application : OpenSSH
Version(s) : All versions between 2.0 and 3.0.2

Pretty good job.

Re:OpenSSH site already updated?

[leviramsey]

The vulnerability was sent to the OpenSSH team a few days ago. It was not publicized until a fix was in CVS.

Re:OpenSSH site already updated?

This is why, even if you can't understand it, having access to the source code of your tools is important.

How often do critical MS bugs get fixed within a few days of discovery?

Re:OpenSSH site already updated?

[psychofox]

If only you'd read another three lines you would have found the line:

Vendor informed : 20020304

Re:OpenSSH site already updated?

[Yankovic]

A: Open source didn't help solve the bug (though it may have helped FIND the bug, and identify it to such a degree that it was quickly solveable). The OpenSSH people corrected the bug in their own source, which they would have had access to even if it was closed.

B: The vendor was notified ahead of time, which is one of the things that MS has been campaigning for. Why aren't we beating up on the guy who released this to the vendor first and not to the community immediately? Answer: it was the responsible thing to do! eEyes should take note.

Re:OpenSSH site already updated?

[BlowCat]

Good thing that it's not a remote root exploit. Otherwise www.openbsd.org would now read:

Four days without a remote hole in the default install!

Not sure if OpenSSH is enabled by default though.

Re:OpenSSH site already updated?

[passion]

If you act quick, you'll notice that you can't download the new source code from all the mirrors yet...

Re:OpenSSH site already updated?

[Tuzanor]

Not sure if OpenSSH is enabled by default though.

It is. Luckily, so far it doesn't look like a remote hole. Even if it was, OpenBSD would still have a far better track record than any other OS out there.

Re:OpenSSH site already updated?

[mark_lybarger]

typically the MS exploits are released to MS well in advance, and then only after considerable amount of negligance on their part are disclosed to the community. it is proper to send exploits to the vendor first and allow them to resolve the issue.

Re:OpenSSH site already updated?

Mr. Joost Pol aka "Nohican", famous for his Slashdot-hack has done his homework again! ;-)

Re:OpenSSH site already updated?

[sheetsda]

OK, I'll bite.

The OpenSSH people corrected the bug in their own source, which they would have had access to even if it was closed.

Sure, if they found out about it before a blackhat did. There's a good chance they wouldn't have. And anyone could've corrected the issue and submitted a patch; in OSS there may be a patch before the public even knows there was a vulnerability.

The vendor was notified ahead of time, which is one of the things that MS has been campaigning for. Why aren't we beating up on the guy who released this to the vendor first and not to the community immediately?

There's a policy among bug reporters to give the author a reasonable period of time to fix a bug before releasing it. MS gets that grace period about as often as everyone else, but they're so slow at getting out patches that the vulnerability runs rampant. If an OSS project is slow at getting patches out, someone else takes it upon his or herself to write a patch. Its sort of a self-correcting system.

smallest possible patch

[bill_mcgonigle]

For you guys too lazy to read:
http://www.pine.nl/advisories/pine-cert-20020301.t xt
( I was going to post the patch here, it's really small, but apparently slashcode doesn't know what the blockquote tag is for, despite claiming it's supported)

But this isn't just an attempt at karma whoring, there is a point. When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that Microsoft secured their software over the last month?

Re:smallest possible patch

[ghjm]

When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that C is the right language to do coding in?

Re:smallest possible patch

Of course, no one has ever missed a = in Java and screwed up someone's security privileges.

Re:smallest possible patch

[paitre]

and has been stated several times already, this SAME error can occur in any language, with the same effect.
grow up. there are millions of lines of C, and they aren't going to go away just because you don't "like" the one language that allows a programmer to do just about anythign with their computers.

I'll say this: the average CS student that I've had to deal with lately doesn't comprehend even the -BASICS- of memory management (Java does that for me...)
Fuck off, and learn how to fucking program CORRECTLY, then use a language that lets you be lasy.
Cocksucking assholes.

Re:smallest possible patch

I'm glad I abandoned C couple years ago, and I've beend coding in Visual Basic eversince...

Re:smallest possible patch

[TRACK-YOUR-POSITION]

Of course, no one has ever missed a = in Java and screwed up someone's security privileges.

I could be wrong, but I believe Java has protection against == vs. =. At least, if you do

if (a = 7) {

}

Java will complain because a = 7 is not boolean.

Re:smallest possible patch

[TRACK-YOUR-POSITION]

there are millions of lines of C, and they aren't going to go away just because you don't "like" the one language that allows a programmer to do just about anythign with their computers.

A. It's not THEIR computers we're talking about here. It's everyone's computer. Or if you're computer has a bug like this, the computer now belongs to Haxorz.

B. This type of error may be possible in any language, but real languages will throw a graceful exception or error when this error occurs, not give control of your entire system to the enemy.

Re:smallest possible patch

[Alsee]

== vs. =

No, it is &GT vs. &GT=

-

OpenSSH 3.1

[AlbanySux]

It was released today according to the OpenSSH website.go and pound the mirror sites

Re:OpenSSH 3.1

[amarodeeps]

I've just been checking the mirror sites, and it doesn't appear to be up on many of them yet, at least not in the states...I got it off of the openssh site in alberta (sorry guys, I want it and it's just not on the mirrors yet!!).

I can't wait for djbssh

[Russ+Nelson]

I can't wait for the Daniel J. Bernstein version of ssh.
-russ

Re:I can't wait for djbssh

you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

Re:I can't wait for djbssh

[biot]

It would be incompatible with the rest of the world's ssh implementations, of course, but I guess he'd write a DJB-RFC to take care of that.

Re:I can't wait for djbssh

And since nobody would use it because of the incompatibility issues, it would be REALLY secure. He could then afford to offer a $1000 bounty to anyone able to 'sploit it. 8-)

Re:I can't wait for djbssh

[dynweb]

hahaha Kindly mod the parent up please :)

Re:I can't wait for djbssh

[tzanger]

you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

You forgot the part about the code being totally undocumented (including no descriptive variable names whatsoever) and that it will only securely talk to djbssh clients since ssh is a useless tool of a protocol that should have never been passed as in RFC. :-)

qmail is an awesome program. Too bad it's almost impossible to understand the code. :-(

Re:I can't wait for djbssh

[someonehasmyname]

hahaha. rotfl. It is kinda funny that all his apps require 3+ users, tcpserver, etc., but I still use djbdns and qmail...

Re:I can't wait for djbssh

[Russ+Nelson]

If "incompatible" results in "is secure", then it's worth having to install it everywhere. I mean, ssh is incompatible with telnet, and yet you installed ssh everywhere you needed to?
-russ

Re:I can't wait for djbssh

[Russ+Nelson]

It's not as bad as all that. First, there just aren't so many global names that you need to have them be descriptive, but they are reasonably so anyway. flagcritical is set when you're in a critical section of the smtp dialogue.

Most of the global names are quite descriptive, e.g. byte_copy(). What does it do? Copy bytes. case_lowers()? Lowercases strings.

It's really not that bad once you spend a bit of time on it.
-russ

Re:I can't wait for djbssh

Russ how did I know you would have to reply to the qmail post .....

Re:I can't wait for djbssh

[Electrum]

And since nobody would use it because of the incompatibility issues, it would be REALLY secure. He could then afford to offer a $1000 bounty to anyone able to 'sploit it. 8-)

qmail is the second most common SMTP server on the internet, so it's hardly fair to say that nobody uses it. He can afford to offer guarantees because there are no security holes.

Re:I can't wait for djbssh

[Fjord]

How are you getting that? This page seems to place it 24th (removing "Unknowns").

Re:I can't wait for djbssh

[Fjord]

Blah. Nevermind. This one is way more recent (didn't watch where I was). It still lists it at 3rd, but says
"qmail now accounts for more addresses than Exchange, and almost as many as all Microsoft SMTP products" although I don't understand why it lumped Exchange and IIS SMTP together to make it 2nd.

Re:I can't wait for djbssh

[dougmc]

How are you getting that? This page [cr.yp.to] seems to place it 24th (removing "Unknowns").

Did you even read the page? Allow me to show you the relevant header line --

Date: 29 Nov 1996 08:51:00 GMT

Last I checked, 1996 was a Long Time Ago [tm] in Internet Time [tm].

Re:I can't wait for djbssh

[PSC]

... and needs its own top level directory...

Re:I can't wait for djbssh

[krogoth]

You forgot to mention the complex directory structure that uses files as variables...

Re:I can't wait for djbssh

[Fjord]

Did you even read this comment? Allow me to show you the relevant posting time --

03:25 PM

I even posted it at +1 making it more visible.

: )

Re:I can't wait for djbssh

[shogun]

Well if your really good at doing complex math in your head you can always login to an sshd server with a simple telnet client...

Re:I can't wait for djbssh

[Russ+Nelson]

Must ... reply ... to ... qmail ... post ....

-russ

Re:I can't wait for djbssh

[dougmc]

Yes, I read it. Well after I posted my reply.

It wasn't there when I started my reply. Remember, we're talking about a period of mere minutes here. Your correction came in only 11 minutes before I pushed for the final time.

Re:I can't wait for djbssh

[Dwonis]

Would you like to explain what is wrong with this approach?

Re:I can't wait for djbssh

[Fjord]

Thus the smiley.

: )

nsSSH

[pinkUZI]

The not so Secure Shell.

Re:nsSSH

AHAHAHAHAHA OH MY GOD THAT'S HILARIOUS.

Man, you must've, like, cut & pasted that from some other site. Pure genius!

Yay!

2002-03-07 11:39:40 Server version: SSH-2.0-OpenSSH_3.0.2p1

Good night everybody!

Maybe...

but that doesn't change the truth of the statement.

and people wonder why its free ?

[Anon0mous]

...cos no one would pay for it ?

this is a bummer..........

i run ssh to keep the telnet hackers out.....

they NEED to have a working username/pw and since i only have 4 users, it no biggy.

but beware. wait wait, here come MS bashers.

Please stop writing network apps in C!

[Tom7]

This kind of bug would NOT BE EXPLOITABLE if sshd was written in a modern safe language.

If the canonical secure software from the canonical secure software people has bugs like this, I don't see how anyone can argue that it's possible to write secure code in C. C makes it easy to make this kind of bug, and the bugs are often exploitable.

Check out my previous post and ensuing discussion on this http://slashdot.org/comments.pl?sid=24271&cid=2629 013 for more info. Synopsis: There are some reasons to use C for a project, but none apply to network daemons. As a proof of concept, I rewrote FTPD in my favorite modern language; the source went from 24,000 lines to 3000 (including support code, like PAM_MD5 password encryption), took me only a weekend to write, and is 100% buffer overflow / format string / heap corruption free.

I'm trying to raise awareness about this because I think it's a real obstacle to us having secure software.

Re:Please stop writing network apps in C!

> is 100% buffer overflow / format string / heap corruption free

How can you proove that ? Everybody can claim his code is problems/free...

Re:Please stop writing network apps in C!

[climer]

I cry BS. Your previous post claimed that performance was not a reason and yet I don't believe you. Wake up and stop acting as the HW vendors lobbyist.

Re:Please stop writing network apps in C!

[MartinG]

How did it cope with 18,000 simultaneous connections? Did you use mmap(), sendfile() and friends on linux to get the best performance possible? How did the xfer rates compare?

BTW, 24,000 lines is a hell of a lot. If you want to compare like for like, have a look at vsftpd by Chris Evans. It's written entirely in c. Have a read of the source - it's quite interesting how it has been done. I would be surprised if you could find a buffer overflow.

I actually do agree with your points mostly, but I would say "Don't use c for network apps unless you have a good reason to" and also "don't use c for network apps unless you _really_ know the hazards"

In some ways SSH is a special case anyway. It has all the intensive maths stuff to do for the session key generation etc. Not a good idea to code that in (eg.) perl imo.

BTW, out of interest, what is your "favorite modern language" ??

Re:Please stop writing network apps in C!

[coyul]

Did you even look at the patch?

--- channels_old.c Mon Mar 4 02:07:06 2002
+++ channels.c Mon Mar 4 02:07:16 2002
@@ -151,7 +151,7 @@
channel_lookup(int id)
{
Channel *c;
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}

You want to explain to me how any "modern safe language" is going to stop me from saying 'greater-than', when I really mean 'greater-than-or-equal-to'?

Re:Please stop writing network apps in C!

[Powerdog]

If you'd actually done some homework on this one, you'd discover that it has nothing to do with buffer overflows. The error could have been done in any language: the problem is a check for greater-than when it should have been greater-than-or-equals. A "modern safe language" would not have solved this.

See the patch at http://www.pine.nl/advisories/pine-cert-20020301.p atch

The advisory is at http://www.pine.nl/advisories/pine-cert-20020301.t xt

Re:Please stop writing network apps in C!

[adamwright]

This assumes your "modern safe language" doesn't have a hole of its own. At some point, it's bound to interface with "unsafe"/"unmanaged" code, and if you get one exploit there, you get an exploit in *every single* "safe and modern" language application.

Re:Please stop writing network apps in C!

[abaptist]

If you look further down in the patch, it then references an array with offset 'id'. In a language like Java this would throw an ArrayIndexOutOfBounds exception, NOT read random memory and possibly cause a crash.

So in fact a stricter language would fix this problem.

Re:Please stop writing network apps in C!

I greatly prefer C over Java for performance critical applications, but using ">" instead of ">=" in the equivalent Java code would not have resulted in executing unverified memory resulting in an exploit - it would have merely thrown an exception.

Re:Please stop writing network apps in C!

Do you even know what you are talking about?

Using "safe" languages doesn't stop you from making mistakes. But if something goes wrong and you would have created an exploitable buffer overflow in C/C++ other languages (or rather run-time environments) will notice that the array access is out of bounds and exit/die safely.

Re:Please stop writing network apps in C!

[smallpaul]

Someone please moderate the parent up! I could repeat what it says and karma-whore but I'd rather help the poster get his intelligent argument promoted!

Re:Please stop writing network apps in C!

[mr_goodwin]

It won't but at least the result won't be a buffer overflow.....

Re:Please stop writing network apps in C!

I think if you check(and I haven't) that the fix in the patch above prevents a bufferoverflow from happening later on in code that you can't see in the patch.. It would be sort of like this

somedatatype dataarray[ARRAY_SIZE];
if(arrayindex >= ARRAY_SIZE) {
log("some kind of error indicating that the data is longer than the buffer");
return;

}

datarray[arrayindex] = somedata;

you see that the buffer overflow in my example actually occurs after the check(thus the reason we do the check first) ... so if the check condtion is wrong then the buffer overflow occurs...

So in a modern language with bounds checking(like Java or managed C# or other numerous languages) the overflow would have generated a runtime exception instead of allowing some insertion of data/code past the buffer.

Re:Please stop writing network apps in C!

[Sobrique]

Nice thought... but erm well, what's the Java interpreter going to be written in? Sure as hell it ain't java... Programming languages get down to a single common denominator - machinecode.
Perhaps we need to get someone to implement DWIM() (of userfriendlyness)...

Re:Please stop writing network apps in C!

[Tom7]

Yes, that's true, but that doesn't imply that the situation is any better for C. In fact, I recall that libc had a globbing bug that caused an exploitable hole in ftpd (that was the reason I wrote this server in the first place) recently. Personally, I think it is extremely rare for a compiled language to have an implementation bug that leads to exploitable code. (I would be very interested in hearing examples, though, besides the one I mentioned.) As a practical matter, application-level bugs like the one in sshd are far far more common.

On a related side note:

I can't actually propose that people use this, because the technology is not that mature, but we are working on something called "typed assembly language" that would at least guarantee type safety of even the compiled code. (So that bugs in the compiler can't introduce certain kinds of security holes.) Check out http://www.cs.cornell.edu/talc/ for more info if you're interested.

Re:Please stop writing network apps in C!

[adubey]

In languages without pointers, assuming there are no compiler bugs, there will be no heap corruption.

In languages with array bounds checking, assuming there are no compiler bugs, there will be no undetected buffer overflows.

The original poster was saying, with a good enough language, there are certain classes of bugs you don't have to worry about.

Re:Please stop writing network apps in C!

[Tom7]

> How did it cope with 18,000 simultaneous
> connections? Did you use mmap(), sendfile() and
> friends on linux to get the best performance
> possible? How did the xfer rates compare?

I can't handle 18,000 simultaneous connections, but I don't think that 99% of people actually care about that. In fact, I don't think linux even supports 18,000 open file descriptors at the same time. My ftpd is intended for the home user who cares more about getting rooted than the low-level performance of his servers.

Yes, it uses sendfile to transfer files when it doesn't need to do EOL conversion. I'm easily able to fill my 100Mbps connection without breaking a sweat either way. (In my informal benchmarks, my server got exactly the same transfer rates as wu_ftpd).

> I actually do agree with your points mostly, but
> I would say "Don't use c for network apps unless
> you have a good reason to"

Well, ok, but what would be a good reason to?
One might be that you need to write a server that can really handle 18,000 connections. (Then, I hope that the users of your server have enough cash to pay someone to maintain them, apply security patches, etc.)

> In some ways SSH is a special case anyway. It
> has all the intensive maths stuff to do for the
> session key generation etc. Not a good idea to
> code that in (eg.) perl imo.

Yes, that's true. SSHD probably uses much more CPU than a typical network app. Yet (see my other posts), it really doesn't use that much anyway.

I wouldn't suggest writing it in perl, since perl has its own kinds of easily exploitable bugs. Also, the performance of perl is not in the 20%-100% category that I mentioned. ;)

> BTW, out of interest, what is your "favorite
> modern language" ??

Standard ML. It's got loads of cool features like higher-order functions, polymorphism, datatypes, parameterized modules, and static typing (which also really helps to catch bugs). It's natively compiled and quite fast. You can learn about it at standardml.org. Hacker types might like O'Caml better, that's at caml.inria.fr.

Re:Please stop writing network apps in C!

[Tom7]

You don't need an interpreter to do bounds-checking on arrays. For instance, SML (that's what I wrote my ftpd in) compiles to native code and has bounds checking. There also exist native compilers for java.

It's *much harder* to make a mistake in a compiler that causes an exploitable hole in software compiled with it than it is to make the same errors over and over in the applications themselves. (Just compare the number of compiler/library-caused exploits to the number of application exploits!)

Re:Please stop writing network apps in C!

[andyross]

- if (id channels_alloc) {
+ if (id = channels_alloc) {

You want to explain to me how any "modern safe language" is going to stop me from saying 'greater-than', when I really mean 'greater-than-or-equal-to'?

No, but a "modern safe language" would crash instead of silently corrupting memory and producing the root exploit. The bug is unavoidable, but the impact is mitigated.

Sure, Java (or C#, or whatever) isn't the software engineering panacea that Sun wants you to think it is, but don't let that blind you to its features. You just plain missed the boat on this one, which means you are exactly the kind of person who is going to repeat this kind of stupid-c-tricks bug. Pick the tool for the job.

Re:Please stop writing network apps in C!

[John+Ineson]

"How did it cope with 18,000 simultaneous connections?"

Let me get this right. You reckon we should keep writing network daemons in C -- the footshooter's favourite -- so that they are efficient enough to scale for the <0.001% of sites that have enough bandwidth to support 18,000 connections.

Yeah, that sounds like a sensible tradeoff.

Re:Please stop writing network apps in C!

[Mignon]

further down... it then references an array with offset 'id'

Has anyone been able to catch this error with a tool like Purify? Language arguments aside, the reality is that the program is already written. In my experience, debugging a complex existing program with good tools is easier than writing the same program from scratch.

Re:Please stop writing network apps in C!

So it still comes back to "don't do it if you don't understand the problems"? It is conceivable that someone could code a library poorly and cause a security problem, but according to you it rarely happens. This just leads me to believe that it IS okay if you know what you're doing. What you mean to say is that one should use a more recent babysitting language if they're not capable of doing it without having their hands held.

Re:Please stop writing network apps in C!

[Tom7]

AC Writes,

> So it still comes back to "don't do it if you
> don't understand the problems"? It is conceivable
> that someone could code a library poorly and cause
> a security problem, but according to you it rarely
> happens. This just leads me to believe that it IS
> okay if you know what you're doing. What you mean > to say is that one should use a more recent
> babysitting language if they're not capable of
> doing it without having their hands held.

Yes, in a sense. Here's how I would say it, though: we want to minimize the amount of trusted code. To a certain extent we need to trust the OS kernel, the compiler, and some libraries (depending on what language they're written in). That's because everybody makes mistakes, even smart people who know all about good C coding (like the OpenBSD/openssh people), and mistakes in C are often disastrous. Even people who are really good at C should avoid using C whenever possible, because it increases that trusted code base.

Actually, my group at CMU is working on trustless compilers (that is, compilers that produce checkable certificites that they did a good job). I'll be back in a few years talking about how this technology can reduce the (already few) security concerns with using a compiler. But for now, the biggest step is to keep people from increasing the size of the trusted code by writing applications in low level languages like C!

Re:Please stop writing network apps in C!

[muleboy]

I checked out the link on Standard ML. I am interested, but have two questions:

1. Which implementation of Standard ML do you prefer? I use Linux.
2. Will I still be able to compile my code in 15 years like I will with ANSI C or Fortran 90? I guess what I mean is are there set-in-stone ML standards that assure me that future tools will work with code I write now?

Re:Please stop writing network apps in C!

[Fjord]

intensive math can be still done in C, but the app itself done in perl or Java. The same thing goes for the calls to mmap(), sendfile() etc. There is no real reason to do the majority of a program in C anymore except "I know C and I don't know those languages".

Re:Please stop writing network apps in C!

[Kitanin]

So in fact a stricter language would fix this problem.

And, since by this point, Nybblebyte the magical hardware fairy has made sure that everybody's running a quad-processor, 2.2Ghz system with 4Gb RAM as their firewall, the bounds checks won't have any noticeable effect on performance.

Nope. None.

Re:Please stop writing network apps in C!

In some ways SSH is a special case anyway. It has all the intensive maths stuff to do for the session key generation etc. Not a good idea to code that in (eg.) perl imo.

Actually, writing it in perl wouldn't be a bad idea. You could put the intensive math functions in a C module, and call them from perl, which would probably be fast enough for everything else. As long as you use fairly large buffers for read() and write(), the overhead of the perl interpreter would be negligible.

For a 24,000 connection FTP it probably wouldn't work very well, but why would you have an FTP server with 24,000 users? FTP is OK if you need user logins (ideally you'd use SCP to avoid transmitting passwords in plaintext), but HTTP is almost always better for anonymous downloading.

Re:Please stop writing network apps in C!

• Splint (lclint) provides for bounds checking
• bounds checking and other extensions for gcc

Re:Please stop writing network apps in C!

[bentini]

SML/NJ is done at Bell Labs amongst other places. Fantastic. Try googling it.

Will I still be able to compile my code in 15 years like I will with ANSI C or Fortran 90? I guess what I mean is are there set-in-stone ML standards that assure me that future tools will work with code I write now?

Surprisingly enough... "Standard ML" is in fact STANDARD. ML has been around for a while, since at least the 80's and I believe before that. Will a compiler in the future still handle the same language? I hope not. I hope that ML remains vibrant. But will there exist compilers for this language in the future? Yes. There will. A lot of people like ML, especially the type of really smart people who port languages to new platforms well and efficiently.
-Dan

Re:Please stop writing network apps in C!

Then, I hope that the users of your server have enough cash to pay someone to maintain them, apply security patches, etc.

So are you saying that "use a different language" is a magic bullet that will fix all problems? Maintanance and security patches will not disappear, though they may be greatly reduced.

Re:Please stop writing network apps in C!

A stricter *compiler* could fix it too. Bounds checking is usually not done in C, but a compiler could certainly implement it.

Re:Please stop writing network apps in C!

[Tom7]

AC writes,

> So are you saying that "use a different language"
> is a magic bullet that will fix all problems?
> Maintanance and security patches will not
> disappear, though they may be greatly reduced.

Of course I'm not saying it will fix all problems. It will fix all buffer overflow, string formatting, and heap corruption problems, which are where the vast majority of exploitable unix holes come from. That will greatly reduce the maintenance and security patches, yes. Isn't that good?

Re:Please stop writing network apps in C!

[krogoth]

It would only detect a side-effect of the problem. That would have eliminated this problem, but not this type of problems.

Re:Please stop writing network apps in C!

[Tom7]

> 1. Which implementation of Standard ML do you
> prefer? I use Linux.

What I do is to use SML/NJ for development, because it has better error reporting and an awesome interactive loop, and then compile my programs for later use with MLton.

MLton is a command-line compiler that produces standalone binaries. It makes much better code than SML/NJ does, except that it has awful error reporting because the front-end, well, isn't there yet. =) (One is in the works...)

SML is standardized; there's a book with a more formal description than I've seen for any language (and which the authors have proved correct), and because of this, the various implementations tend to be *very* compatible with one another. (No "undefined" or "implementation defined" behavior like C.) The language will probably undergo revisions like C and other languages do, but the community is very conservative about breaking old code.

The other poster is right -- SML is the language hacker's language. There are like 10 implementations of it, which is of course less than C and C++, but probably more than any other language.

If the feel of SML isn't right for you, I recommend checking out O'Caml, another brand of ML (at caml.inria.fr). They only have one implementation, and it is much more "hacking" oriented. Unfortunately, the O'Caml language is much less stable.

Thanks for opening your mind! =) I hope you like it, but if not, well, at least you tried. =)

Re:Please stop writing network apps in C!

[Tom7]

I don't understand what you're saying. Neither of us are claiming it would eliminate the bug in the code, but that it would make it non-exploitable by raising an exception instead of entering "undefined behavior" land.

I assert that modern safe languages would make this TYPE of problem NON EXPLOITABLE.

Re:Please stop writing network apps in C!

That's where were going these days, it seems. What next, virtual machines running inside virtual machines? Please don't say they already exist.

Re:Please stop writing network apps in C!

[ecampbel]

While switching over to a safer language would solve the exploit problem, it wouldn't solve the any of DOS problems. If a program had an exploitable overflow, it would be easy for a nefarious hacker to repeatedly bring it down (albeit safely) by exploiting it. Thus, the severity of any bugs would be lessoned, but if one wanted to keep their server stable and performing at a high level, an equal amount of maintenance and security patches will have to be installed.

Re:Please stop writing network apps in C!

> So in fact a stricter language would fix this
> problem.

Or you could use one of the C++ array classes out there that overload [] to do bounds checking...

Re:Please stop writing network apps in C!

[Alex+Belits]

And in languages without anything at all there can't be any bugs.

The problem is, lack of any of mentioned things isn't without a price -- it's either performance or functionality. And also it's worth to remember that none of so-called "modern" languages are self-hosted, they all are written in something else that has all those features they are so proud of lacking. That code is usually unbelievably hairy, and has no chance to even be audited by a human.

Re:Please stop writing network apps in C!

[adubey]

Sir,

You have no idea what you're talking about. All modern languages are Turing-complete, most are self-hosting or at least have compilers written in other "modern" languages such as SML or Haskell, and often compile straight to assembly. I have no idea where you get the impressed that NONE of these languages are self-hosted.

Moreover, the language the original poster was talking about - SML - offers a number of abstractions that simply aren't there in C. In comparision, C is the one with missing functionality. This is why the SML version of the code was so much smaller.

You may lose some speed by going to a higher level, but for 80% of the code out there, a 20% slowdown doesn't even register on today's processors. The time you save coding, moreover, gives you more time to optimize your algorithms.

Re:Please stop writing network apps in C!

[Alex+Belits]

You have no idea what you're talking about. All modern languages are Turing-complete, most are self-hosting or at least have compilers written in other "modern" languages such as SML or Haskell, and often compile straight to assembly. I have no idea where you get the impressed that NONE of these languages are self-hosted.

If the self-hosted implementation is not usable, and not self-hosted one is used instead because of that, language is still not self-hosted. Also self-hostedness of the compiler is of little help when runtime has huge amount of native code written in a manner that doesn't allow any hope for security (ex: Java).

Moreover, the language the original poster was talking about - SML - offers a number of abstractions that simply aren't there in C. In comparision, C is the one with missing functionality. This is why the SML version of the code was so much smaller.

By functionality I mean not the functionality of the language but functionality of the program -- most of functionality that the program has is based on what it can do with the OS, and all "modern" languages usually pretend that 80% of what OS (or at least Unix) can do, isn't there (ex: Java's interface to anything networking-related is horrendously crippled by Java's designers idiosyncarsies).

Re:Please stop writing network apps in C!

[dvdeug]

lack of any of mentioned things isn't without a price -- it's either performance or functionality.

Better languages will offer a choice to turn off bounds checking or garbage collection in specific places, if you really need that speed. Also, it's easier for a compiler to optimize away automatic bounds checking rather than manual bounds checking, since it knows exactly what it's looking for.

But, yes, there's always tradeoffs. But I don't feel a need to provide the fastest system for script kiddies to use as a DOS platform.

And also it's worth to remember that none of so-called "modern" languages are self-hosted, they all are written in something else that has all those features they are so proud of lacking.

So I was just imagining SmallEiffel and SML/NJ.

Re:Please stop writing network apps in C!

[ComputerSlicer23]

Actually, C can have bounds checking. There are two or three different sets of features in gcc that can give library support to do this. Some of them are better then others. One of them is a resurrection of the Checker project that implements pointers a 3*native pointer size, so using sizeof() in the code is important, it has bounds checking built into the C library and uses two of the pointers to represent the upper and lower bounds so you can't walk off the end. There is another which is a flag one which is a flag to gcc which on every memory reference emits a call to a library with an address, you have to provide a function that will check that is a legal address. Last time I used it, if you walked off the end of one memory structure into another it worked. The trick is to use an allocation scheme that always skips a word between allocations of different structures. There were lots of interesting libraries that you could plug in for that feature set, and it is in gcc 3.0 or 3.01. C can have garbage collection and/or memory range checking built in if you want, it just isn't a feature by default. You write it in C, when you are convinced it doesn't need bounds checking, turn it off. If you're paranoid (which is a Good Thing (TM)), then leave it on all the time. The better implementation is supposed to be finished for gcc 3.1 last time I checked in on it. Supposedly it had a 25-50% increase in code size and execution speed. Just because most C compilers don't doesn't mean that it can't be done.

Re:Please stop writing network apps in C!

[Tom7]

It's true that C has tools for simulating modern programming language features like Garbage Collection and array bounds checking. But the tools are pretty clumsy since the language wasn't designed to support them. (GC has to be conservative and can't compact the heap, etc.) However, I think that the existence of these tools is a testament to how much those features are needed in an appliaction programming language.

Unfortunately, whatever you do, C will never be a safe language. Why not just use one of the many new languages that support these features natively, and by design?

Re:Good job i use Microsoft products

Yep, the only back door you will ever need to worry about is the one Bill Gates is plugging you through.

WU-FTPD Anyone?

I abandoned wu-ftpd long ago because I grew weary
of the "sploit of the week" routine. I abandoned
sendmail for the same reason way, way before that.
ISTM that OpenSSH is having to replaced with
disturbing regularity. It's getting a mite old.

OpenBSD upgrade.

[saintlupus]

OpenSSH 3.1 was released this morning. The info and tarball for OpenBSD systems is available at:

http://www.openssh.com/openbsd.html

Mine's compiling now.

--saint

Re:OpenBSD upgrade.

[bedouin]

Compiling on a 68k Mac running OpenBSD 3.0. Mine will probably take a little longer than yours :)

Re:OpenBSD upgrade.

Nobody fucking cares.

RPM's Compiled For i386

[Mr_Perl]

Help yourselves:

http://www.geniusweb.com/RPMS/

SSH 3.1p1 RPM's compiled without gnome-askpass, everything else is default vanilla.

Re:RPM's Compiled For i386

[Indomitus]

How about a src RPM for those of us who like those? Thanks for the binaries though, you're a lot faster than Redhat and the rest.

Re:RPM's Compiled For i386

[Mr_Perl]

Done. The reason I put em up was the only mirror that has the active file is ftp.openbsd, and it will probably be swamped pretty promptly hereafter.

Did a md5sum that anyone's free to check against the original also for the paranoid among you.

Re:RPM's Compiled For i386

[Scoria]

One of my primary gripes about the OpenSSH project is that they expect everybody to be operating with the latest Linux distribution. This mentality is reflected in their RPMs, where they are only providing them for RedHat 7.2 users.

Yes, it's easy enough to compile it yourself, but not for a complete Linux newbie...

Here is the method I use to upgrade OpenSSH (using the RedHat directory structure):

Open a terminal connection to your machine.
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable /openssh-3.1p1.tar.gz
tar xvfz openssh-3.1p1.tar.gz
./configure --prefix=/usr --sysconfdir=/etc/ssh
make
make install
/etc/rc.d/init.d/sshd restart

:)

Re:RPM's Compiled For i386

[Scoria]

Oops, it appears that in my haste I overlooked a critical step of installation.

After executing the command "tar xvfz openssh-3.1p1.tar.gz", you must then type "cd openssh-3.1p1" (without quotations). :)

Re:RPM's Compiled For i386

[Mr_Perl]

BTW for those who want to do this themselves it's not hard. If you have a server without gnome libs installed you need to do it this way:

rpm -ivh openssh-3.1p1-1.src.rpm

then edit /usr/src/redhat/SPECS/openssh.spec
and set the options as you like, in my case I changed the 0 to a 1 where the gnome-askpass bit is.

Then use rpm to build it, cd to the SPECS directory on your system (may also be /usr/src) and do:

rpm -bb openssh.spec

Then watch the messages at the end which tell you where the finished RPM's are. Usually ../RPMS/i386/

For those who want the gnome-askpass, just do

rpm --rebuild openssh-3.1p1-1.src.rpm

Re:RPM's Compiled For i386

[Yosho]

It's not working for me. :-(

I get as far as the ./configure step, when it gives me:

(insert lots and lots of lines)
checking for deflate in -lz... no
configure: error: *** zlib missing - please install first or check config.log ***

I've got zlib 1.1.3 installed (this is Mandrake 8.0, BTW), and I looked in config.log, but it's all Greek to me. Any idea what could be going wrong?

Re:RPM's Compiled For i386

[craw]

Hmmm, I need to know just one very important piece of information before I can truly trust you. How much karma do you have?

Re:RPM's Compiled For i386

[dmiller]

You can get source and RH72 binary RPMs from the same site as the tarball. Have a look in the rpms' directory.

Re:RPM's Compiled For i386

[Siva]

I've got zlib 1.1.3 installed...

ah, but do you have zlib-devel installed (assuming mandrake splits up libraries and headers into two packages like RH)?

--Siva

Re:RPM's Compiled For i386

[Yosho]

Yay! With that installed, it worked. Well, it also gave an error about openssl later, but installing openssl-devel fixed that.

However, I'm still having a problem. It's installed and running now, but not letting me log in -- it's reading the same config file as before, and I can connect, but when I try to send my password, it always denies it (same thing for any user).

With LogLevel set to DEBUG3 in /etc/ssh/sshd_config, I made a quick log of it starting up, me trying to log in, and shutting it down, and you can take a peek at it by following this link. Any ideas?

Re:RPM's Compiled For i386

[Yosho]

Nevermind, Scoria helped me out. Turns out I also had to manually enable MD5 passwords when compiling it.

Re:RPM's Compiled For i386

[juhaz]

So how is that easier for a complete newbie to do than:

wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable /rpm/SRPMS/openssh-3.1p1-1.src.rpm
rpm --rebuild openssh-3.1p1-1.src.rpm
rpm -Uvh /usr/src/redhat/RPMS/openssh-3.1p1-1.i386.rpm

?

FreeBSD affected; patches available

[Dom2]

Unfortunately, I can't post the advisory here due to the lame lameness filter. But here are the patches:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/S A- 02:13/openssh.patch
ftp://ftp.FreeBSD.org/pub/Fre eBSD/CERT/patches/SA- 02:13/openssh.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

If you've got the ssh port installed, check out the advisory for details on what to do:

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0 +c urrent/freebsd-announce

Re:FreeBSD affected; patches available

[Sinfamous]

I prefer using ports. I find that

#cvsup -g -L 2 /root/ports-supfile
#cd /usr/ports/security/openssh
#make
#make install
#kill [openssh PID# here]
#/usr/local/sbin/sshd

makes a lot more sense and is easier to remember. the process is very very similar with any other upgrade or fresh install.

Re:FreeBSD affected; patches available

Dangit, I sure wish I would've read your note before firing off a cvsup... It's going oh-so-slowly at the moment...

Re:FreeBSD affected; patches available

[Sinfamous]

No doubt servers are getting hammered for the upgrade..however, if you specified in your ports-supfile NOT to get ALL the ports (which you might have already done; I'm just saying to make sure), it'd probably be much quicker. Especially if it's been a while since your ran cvsup for the ports.

Does this affect non-suid root clients?

[Dast]

I don't see any mention of non-suid clients in the advisory? Does any fellow /.er know if such clients are vulnerable to escalation of privileges?

Re:Does this affect non-suid root clients?

[new-black-hand]

If your sshd binary is not suid root (dont see how it can not be), then an attacker will not be able to get root privs.

Re:Does this affect non-suid root clients?

Correct. Note that installs of debian for instance are not installed with sshd SUID. This has some interesting effects on what ports ssh uses, but does help in situations such as this one.

Re:Does this affect non-suid root clients?

[QuMa]

Sshd is never suid root. It just gets run by something with uid root. (either init or inetd)

This oughtta teach you open-source folks a lesson!

[fobbman]

If you'd just keep your source closed like the smart folks at Microsoft then these sorts of bugs would never be found.

There are some reasons to use C for a project

[MrFredBloggs]

Phew! Thought i`d wasted the last 5 years of my professional life using the wrong language!

Damn Microsoft

It's not possible there are security problems in non-Microsoft products is it? Where's the splashing of endless stories around the media? At least this root exploit isn't as serious as the Microsoft exploits.

Visual Basic

[wiredog]

Has all the features any Modern Programmer could want. And it has the Highly Secure .net framework built in. What more could you want?

Re:Visual Basic

God that's dumb.

Re:Visual Basic

[killmenow]

Plus, you don't have to mess with that "windowless" crap you get with those braindead console apps. God, those are so hard to use. I mean, if you can't point, how can you click?

Re:Visual Basic

[Tom7]

I know you're just joking, but if you associate "modern" with Visual Basic, you need to do some more learning. There are loads of very interesting languages that are more powerful than C, as well as being easier to use.

Re:Visual Basic

[ignorant_newbie]

>I mean, if you can't point, how can you click?

they give you a special 104 button mouse with the console.

Re:Visual Basic

[Graspee_Leemoor]

"There are loads of very interesting languages that are more powerful than C, as well as being easier to use."

Yeah like lisp and that was invented in 1958.

graspee

Re:Visual Basic

[TheAJofOZ]

they give you a special 104 button mouse with the console.

More buttons is always good.... Makes you wonder about those Mac users.... :)

The PATCH

[bruceg]

Looks like just adding an equal sign:

RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c 27 Feb 2002 21:23:13 -0000 1.170
+++ channels.c 4 Mar 2002 19:37:58 -0000 1.171
@@ -146,7 +146,7 @@
{
Channel *c;

- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}

Performance concerns?

[yerricde]

As a proof of concept, I rewrote FTPD in my favorite modern language; the source went from 24,000 lines to 3000 (including support code, like PAM_MD5 password encryption), took me only a weekend to write, and is 100% buffer overflow / format string / heap corruption free.

I realize that correctness comes before performance (except that shipping the product is Job 1), but performance remains an issue on real-world production servers connected to a fat pipe. Does the compiler for your favorite modern language support binary code optimizations that let your ftpd run as quickly as a popular C ftpd? Does it have a GC thread that might kick in and cause delays? Or did you just use bounds-checked C++ arrays and strings?

(Heck, why even use FTP anymore? HTTP/1.1 is lighter weight, doesn't need a separate connection for each file, and doesn't have a built-in way for spammers to build lists.)

Re:Performance concerns?

and doesn't have a built-in way for spammers to build lists.)

http://isp.example.com/~abrown/
http://isp.exam ple.com/~bbrown/
http://isp.example.com/~cbrown/

...

There's a subtle difference between a directory that doesn't exist due to no such user existing and one that isn't there because they just haven't created public_html yet. If there's content there, it's probably valid too.

Just something to think about.

I guess you don't want speed, then.

We write such servers in C for one reason: speed. The users demand it.
Java has too many resource requirements (CPU, memory) for ultra high traffic on a single uniprocessor box.
Don't give me that "hardware is cheap line". The cheapest hardware is the hardware you don't have to buy.

Re:I guess you don't want speed, then.

WOW! Java is the only alternative to C. Thanks! I wouldn't have known that if you didn't tell me!

Re:I guess you don't want speed, then.

[Tom7]

An AC writes:

> We write such servers in C for one reason:
> speed.
> The users demand it.

Do they?
Maybe cdrom.com demands it, but I have never heard any of my linux-using friends complain about how much CPU their ftpd or sshd is taking up. However, I have definitely heard them complain about how many patches they need to apply, of about getting rooted yet again...

> Java has too many resource requirements (CPU,

I wasn't really suggesting java, actually, although natively compiled java could probably work if you need the language to feel like C.

> Don't give me that "hardware is cheap line". The
> cheapest hardware is the hardware you don't have
> to buy.

Hardware is cheaper than the time it takes me to install all of these damn patches.

Re:I guess you don't want speed, then.

hehe.

Re:I guess you don't want speed, then.

[dvdeug]

We write such servers in C for one reason: speed. The users demand it. Java has too many resource requirements (CPU, memory) for ultra high traffic on a single uniprocessor box.

Besides the fact that Java is not the only modern language, I really don't care about "ultra high traffic". If my sshd gets two connections, I'm multitasking; three I've probably been hacked. I don't need it to be faster; I need it to be secure and simple to set up and admin. Maybe the big sites should be running something else, but probably 99% of the sites that run ssh don't get heavy ssh traffic. Those sites need to worry about being hacked more than they need to worry about that last 20% of sshd speed. (If sshd is taking up 39 seconds of cpu time over 8 weeks, then 20% is a second a week; for more security, it's a great tradeoff.)

Isn't this a bit dodgey?

[SomethingOrOther]

Errrrrm
Isn't it a bit dogey just grabbing and installing a binary (rpm) from an untrusted source (ie you) for security software like SSH ?

I'll get my source code from a reputable mirror and compile it myself thanks.

Re:Isn't this a bit dodgey?

[Mr_Perl]

Yup, but there are folks here who know and trust me. =)

If you're concerned, just don't download em.

Re:Isn't this a bit dodgey?

[Sobrique]

Trust _you_ or trust the unhackability of your /. user account? Trusting trust is icky.
Could have at least PGP signed yer post before it goes out of fashion :)

Re:Isn't this a bit dodgey?

[Mr_Perl]

Haha, gimme a break. =) I guess I should know better than to let my helpful side show on slashdot. Download mine or go build it yourself, sheesh.

Re:Isn't this a bit dodgey?

[Sobrique]

I guess I should know better than to let my helpful side show on slashdot.
Helpful? On /.? Wow, someone go find the Herd of Trolls to beat it out of him :)

Re:Isn't this a bit dodgey?

[Stevedust]

Isn't it a bit dogey just grabbing and installing a binary (rpm) from an untrusted source (ie you) for security software like SSH ? I'll get my source code from a reputable mirror and compile it myself thanks.

You might want to check the version of SSH running on that mirror before downloading :p

*** Help on upgrading a remote server?

[TomatoMan]

Since I'm probably not the only bonehead out there in this situation, could someone more knowledgable than me advise on proper procedure for upgrading OpenSSH on a remote server via an ssh connection?

My server runs 2.2.0p1. I've got the 3.1p1 source and I'm ready to go. I'm always afraid that a glitch in the build procedure - or even a success - could replace the existing 2.2.0p1 sshd binary while it's talking to me and cut me off, and if something goes wrong in the process, leave the server unreachable, which means a long drive to the colo facility to sit down with a keyboard and monitor.

Can anybody help? I've never been able to find a clear answer for this question.

TIA.

Re:*** Help on upgrading a remote server?

[new-black-hand]

use telnet, or another instance of sshd.

Re:*** Help on upgrading a remote server?

[jaseuk]

The safest way is to temporarily enable telnet, perform the upgrade then disable telnet again.

That way if you stuff things up you've got a fall back position.

It might be wise to change your passwords afterwards.

Jason.

Re:*** Help on upgrading a remote server?

[Bluecoat93]

Known to work on Solaris, OpenBSD, and Linux. YMMV elsewhere, but it should work fine.

1) Use SSH to log into your server.

2) Install the new ssh version. Your old version is in memory, so replacing the binary won't have any adverse effect on your connection.

3) Run 'ps -ef | grep sshd' or 'ps auxw | grep sshd' (depending on your UNIX flavor)

4) find the sshd instance with a parent process ID of '1' -- this will be the actual daemon spawend by init. The other process will be the one spawned by sshd itself to handle your connection.

5) kill

6) the parent sshd process will terminate, but yours will stay running

7) start up the new sshd

8) from another workstation or window telnet to port 22 on your server and verify that the version number reflects the new version.

9) from another workstatino or window, ssh into your server to make sure you still have access.

10) close your original ssh session

I've used this exact process to upgrade many machines at remote locations. As long as you verify that the new sshd is running before you close your existing connection, you should have no problems.

Re:*** Help on upgrading a remote server?

[rugger]

Simple

1) Install the new openssh.

2) Find the parent sshd process and kill that one only! (don't do a killall) "pstree -p" is good at that.

3) fire up the new sshd and ensure it is working properly (by establishing a new ssh connection on another terminal). If it isn't, now is the time to fix it

4) Exit all ssh sessions you have initiated, then you can reconnect if you wish.

Re:*** Help on upgrading a remote server?

To be on the safe side you could start the new sshd on another port (say 2200 for example).

Then you can log in through the new one and verify that it works ok, after which you can disable the old one and put the new version on the correct port.

// Martin

Re:*** Help on upgrading a remote server?

[Willis+Wasabi]

You won't get cut off with the existing running daemon just because you replace the on-disk version. It's all running from memory. Exception: demand-paging, blah. I've done it with RPMs all the time. As long as that last daemon you're connected to is running, you're fine. You can stop and start the master daemon to you heart's content.

This is not to say that I haven't hosed myself doing this. E.g. Once I was playing with some OpenSSH config options on a system. I turned off the daemon, then went to eat dinner or something. When I came back my session was logged out due to inactivity and there was no longer a runing daemon. :)

Re:*** Help on upgrading a remote server?

[BattleCat]

Well, ssh to your host, ps ax and search the parent of all sshd processes on this box.
You will have some sshd's in ps listing. Locate one with lowest process ID, compare with /var/run/sshd.pid (or whatever your ssh daemon logs it's startup pid to), kill `cat /var/run/sshd.pid` (you probably know, what I mean), you will still have your session Ok, then restart your newly compiled sshd (/usr/sbin/sshd or where you have it installed). You will have your old ssh'ed session running, while port 22 is listened by new sshd. Check by ssh -l root localhost and see if all goes smoothly, then you could exit from all of your shells. Possibly stupid howto, but worked for me in the same situation.

Re:*** Help on upgrading a remote server?

[gid]

Sure I do it all the time, I'd suggest install the newest openssl first. Then unpack openssh and cd into the dir:

./configure --with-md5-passwords --etc etc etc, configure options here
make
cat /var/run/sshd.pid
kill <pid from above command>

This kills off the master ssh process, you will still stay connected, just don't kill off any other ssh processes.

Now:

make install
/usr/local/sbin/sshd (or wherever you installed it to start it up)

Don't dissconnect yet! Try sshing in again and see if the machine is accepting connections, if not, you might have to try giving it different ./configure options, like --without-pam, --ipv4-by-default etc

If it's your first time try it remotely, you might not want to do this on a server that's a 3 hour drive away. :) FYI, I've already upgraded 3 servers this way just 30 minutes ago, still have many more.... :(

Re:*** Help on upgrading a remote server?

How about testing the sshd by running it on another port (e.g. sshd -p 2200) and satisfying yourself that it works before copying sshd to /usr/local/sbin or wherever? It's not a perfect answer, but at least it lets you check that you didn't, say, forget to ./configure --with-pam if you need PAM support.

Re:*** Help on upgrading a remote server?

using Red Hat, I've always just done:

rpm -Uvh openssh*

even remotely via ssh. Works fine... but you might want to temporarily enable telnet just to be safe.

Re:*** Help on upgrading a remote server?

[gid]

Doh, I suck, beatten to it. Maybe I should reload the comments page more often, or not get phone calls delaying my precious slashdot reading. :(

Re:*** Help on upgrading a remote server?

[TomatoMan]

2) Find the parent sshd process and kill that one only! (don't do a killall) "pstree -p" is good at that.

Am I hosed if I start sshd with inetd? In the display below, which is the parent process? Or do I have to kill them all?

(stripped of nearly all useful information to get around the useless, brainless lameness filter: hopefully good enough. The "|" and "`" are supposed to line up under the "+" so that all of the sshds are in the same column, but we can't use <pre> tags so we can't do that.)

inetd(408)-+-sshd(5980)
|-sshd(9627)
`-sshd(23148)

Re:*** Help on upgrading a remote server?

[jjeffries]

Sure, do it with telnet.

Re:*** Help on upgrading a remote server?

[greed]

In that case, there's nothing to restart. inetd will simply invoke the new binary once it's in place.

The key to getting this to work is to KEEP the old SSH session open until you KNOW the new binary works. Otherwise you can't get back in.

If you're as paranoid as I am, you'll open a couple of extra sessions before you replace the binary... just in case....

Re:*** Help on upgrading a remote server?

[Neon+Spiral+Injector]

If you replace the openssl while SSH is running it will detect the version change and kill all running sshd sessions. Then you'll have a half installed openssl and not be able to start sshd.

You don't want to upgrade the SSL libs remotely.

Don't ask how I know. :P

Re:*** Help on upgrading a remote server?

Or, if you're really nervous, install the new version on a different port. Test/verify.

Using the new service (on the other port), remove old service on 22 and replace with the new service. Test/verify.

Using the newest service (on the trad. port), log in and remove the service on the different port.

Re:*** Help on upgrading a remote server?

[yason]

2) Install the new ssh version. Your old version is in memory, so replacing the binary won't have any adverse effect on your connection.

Ahem. Wrong. Linux is nice, it will keep the old version of the binary accessible for the running image as long as there are any, but e.g. SunOS doesn't do that. Modifying the binary will cause wrong code to be read from the disk whenever the OS reads the binary file again. This will happen for example when the code has been paged out from the main memory after which the program becomes active again and the OS loads the code of the process from the original binary. Try this:

cp /bin/cat foo ; ./foo
Hit ctrl-z to suspend the copy of cat, truncate the file:
echo > foo
and type
fg
to resume the copy of cat -> boom, segfault most likely unless the machine is very idle and not having paged out the code section of "foo" out.

Re:*** Help on upgrading a remote server?

[gid]

I've I know i've done it before. I just upgraded a machine from .9.6b to .9.6c maybe about a month ago. I know I did it remotely, because I'm far to lazy to get up and walk over to the rack and plug in a keyboard/monitor unless I have to. :) And I know I haven't had to hook up a keyboard/mouse to the rack in awhile.

Maybe it worked because it was a minor version upgrade?

Re:*** Help on upgrading a remote server?

[tzanger]

f you replace the openssl while SSH is running it will detect the version change and kill all running sshd sessions. Then you'll have a half installed openssl and not be able to start sshd.

Not entirely true; I had one server do this to me, but the six others that I upgraded work fine... update openssl, update openssh, kill running sshd parent, run new one, verify, exit. no problems.

If anyone can exlain why this one system may have done that, I'd appreciate it. It did this tlast time around too. :-(

Re:*** Help on upgrading a remote server?

[Bluecoat93]

Your example doesn't really hold. You're talking about suspending a process, modifying the binary, then un-suspending.

My instructions were for replacing the binary of a daemon process that is:

a) not suspendeed

b) most likely not swapped to disk, since you're actively talking to it via your ssh session.

There's no reason for the OS to ever need to read the binary from disk again. Even if it was swapped out it would read the image from swap, not the binary from disk. Again, like I said in my post, I've done this many times on Solaris, OpenBSD, and Linux without issue. Haven't tried SunOS since I don't have access to machines old enough to be running it.

Re:*** Help on upgrading a remote server?

[xUnit187x]

If you overwrite shared libraries while a process is using them, it may segfault. Best to atomically replace them (i.e. with mv from the same filesystem), or unlink then replace.

Re:*** Help on upgrading a remote server?

[Alex+Farber]

I don't see an ID==1:

pref:alex {309} ps uawx | grep ssh
root 29251 0.0 0.2 360 1168 ?? Is 8:16PM 0:01.11 /usr/sbin/sshd
root 24161 0.3 0.3 404 1524 ?? S 11:29PM 0:10.04 sshd: alex@ttyp0 (sshd)
alex 18458 0.0 0.3 512 1452 p0 I 11:52PM 0:00.39 ssh grappa.unix-ag.uni-kl.de -l anoncvs cvs server
alex 26968 0.2 0.3 704 1668 p0 S+ 11:53PM 0:05.35 ssh grappa.unix-ag.uni-kl.de -l anoncvs cvs server
root 12424 0.0 0.3 404 1524 ?? S 12:02AM 0:01.13 sshd: alex@ttyp2 (sshd)
alex 13765 0.0 0.2 1284 872 p2 RV 12:08AM 0:00.00 grep ssh (tcsh)

pref:alex {310} uname -a
OpenBSD pref 3.0 GENERIC.pref#3 i386

Re:*** Help on upgrading a remote server?

[brad_f]

that would the first one on the list:

root 29251 0.0 0.2 360 1168 ?? Is 8:16PM 0:01.11 /usr/sbin/sshd

Re:*** Help on upgrading a remote server?

[Dahan]

So use install(1), or rm the old binary first.

Re:*** Help on upgrading a remote server?

[mcrbids]

Ouch!

You do things the hard way! I much prefer:

1. rpm -Uvh openssh*.rpm
   
2. /etc/rc.d/init.d/sshd/restart
   

   We could exit here, but I like to be sure..

3. ssh localhost login, make sure it works ^D
   
4. ^D
   

Sooooo much easier....

-Ben

Re:*** Help on upgrading a remote server?

[Neon+Spiral+Injector]

A little late to reply, but just incase anyone looks.

Older versions of OpenSSH didn't have this security feature. You probally will run into it every time now.

Performance of network software

[Tom7]

> I cry BS. Your previous post claimed that
> performance was not a reason and yet I don't
> believe you. Wake up and stop acting as the HW
> vendors lobbyist.

Actually, I am a "modern languages" lobbyist, not hardware. =) But that's because I study and believe in programming languages, not because I have some kind of financial interest.

I'd love to respond to your post but I don't know what your point is. I guess all I can do is reiterate my point on performance:

1. sshd, running on my machine for about 8 months, has accumulated a mere 2 minutes and 30 seconds of CPU time. Of course, sshd forks off a new process for each connection, but all of the ones on my machine (some of which are at least a week old) have used 0:00. If someone knows a way I can measure the actual time spent by the daemon, I'd like to hear it, but I assume for now that it is *very small*.

2. I can easily fill my 100Mbps connection without breaking 2% CPU usage. (In other words, sshd is bandwidth limited, not CPU limited.)

3. Most home / small business users do not have 100Mbps connections, and could care less about the difference between 2% or 5% CPU usage.

4. However, most home / small business users DO care about having to download patches when their C programs contain buffer overflows.

5. Modern languages are not actually much slower than C. (I estimate worst case 2x slower, typically more like 20% for SML, which is what I wrote my FTPD in.) Being easier to write in, they also give more opportunity for high-level optimizations.

Therefore, I conclude that for almost every user, security is a more important concern than speed, at least as far as network daemons go. How can you argue the opposite?

Re:Performance of network software

[bruckie]

sshd, running on my machine for about 8 months, has accumulated a mere 2 minutes and 30 seconds of CPU time. Of course, sshd forks off a new process for each connection, but all of the ones on my machine (some of which are at least a week old) have used 0:00. If someone knows a way I can measure the actual time spent by the daemon, I'd like to hear it, but I assume for now that it is *very small*.

Try ps axS | grep sshd | grep -v grep. The -S switch for ps makes it show time spent by a process and all its dead children. Also check out the -S switch for top.

Re:Performance of network software

[teflonrabbit]

on a ppro 180, ssh can't push more than 15 mbit. For slower machines or with many concurrent connections or a need to run other processes while there is a high network load, a faster machine is required, or a faster language. By using C for the ssh implmentation, I can push 15 mbit instead of 8.

Re:Performance of network software

[lkaos]

This entire thread has absolutely made me sick. It reminds of the folks who cry that an OS should be written in a BASIC dialect or in Java (or even C++ for that matter).

High Level languages (it's silly to refer to them as "modern languages") all suffer from one fundamental problem. They do not allow sufficent control over program behavior to make the kind of assurances that high-performance applications need to make. OpenSSH rocks and it could not be rewritten in Java or some other silly language.

These languages are good for simple programs or assembly line programs where performance is not really an issue. Java and other interpretted languages require huge memory overheads and are only as stable as the underlying VM.

Do not kid yourself that Java isn't exploitable. Especially with the J2EE package that encourages network transparency. Anytime you communicate over a network you undertake considerable risk.

BTW: This who is very unlikely to be a rootable exploit. Off-by-one errors will likely cause only a SEGV or perhaps undefined behaviors. It is not like buffer overflows as it is not easy to insert arbitary code.

Remember too that OpenSSH is open source whereas the Java Runtime library isn't. Give me a week with the source to Java and I guarentee I can find you a bunch of remote exploits. Open Source software often gets held to much higher standards than traditional software simply because there is no way to cover up all the little holes.

And you may think your an expert since you wrote an FTPD but is it as capable as wu-ftpd? Just because you can serve a file as quickly doesn't mean that it comes anywhere close to handling all the features that wu-ftpd. Sit down and try to write tens of thousands of lines in a so-called "modern language" and you'll be back to C.

Re:Performance of network software

You can easily get the source of the JVM and libraries (even though it's not under a redistributable licence). Go for it.

Re:Performance of network software

[dvdeug]

Modern language does not mean interpreted, and especially doesn't mean Java. There are plenty of open source modern languages - Ada (GNAT), ML (SML, O'Caml), Eiffel (SmallEiffel). All compile to executables, and produce efficent executables.

They do not allow sufficent control over program behavior to make the kind of assurances that high-performance applications need to make.

If you're worried about that, why do you use the inefficent language known as C? There's no better way to get efficency and low-level control than Assembly.

Sit down and try to write tens of thousands of lines in a so-called "modern language" and you'll be back to C.

Really. I haven't reached the tens of thousands mark yet, but I've written thousands, and when I curse Ada, it's because it doesn't have garbage collection and because it encourages fixed length, single-byte strings over unbounded Unicode strings. Both C problems.

Re:Performance of network software

If you're worried about that, why do you use the inefficent language known as C? There's no better way to get efficency and low-level control than Assembly.

The issue is not necessarily efficency. It's about control.

Really. I haven't reached the tens of thousands mark yet, but I've written thousands, and when I curse Ada, it's because it doesn't have garbage collection and because it encourages fixed length, single-byte strings over unbounded Unicode strings. Both C problems.

I hate it when people make comments like this. The fact is, you can do ANYTHING in C. If you want garbage collection, get a library, or make your own. You want array bounds checking, get a library, or make you own. It's easy. The problem is not many people use garbage collection and bounds checking in C because you lose the raw speed. Really, it's not any worse than using a language that supports those features because in all likelyhood that "other" languages was written in C.

Re:Performance of network software

[Tom7]

Your post has some fundamental mistakes...

1. I'm not talking about Java; it has a lot of problems and it is not really representative of what modern languages can do. Just to be concrete, let's choose SML as an example of a modern language.

2. Java does not need to be interpreted. SML is hardly ever interpreted; all of the SML compilers I know produce fast native code.

I don't know much about java, but you can feel free to look at the SML runtime libraries (all open source as far as I know) and try to come up with remote exploits. We'd love to hear about them, though I don't think you'll have much luck. You can find an index of some of the SML compilers at http://standardml.org/.

> And you may think your an expert since you wrote
> an FTPD but is it as capable as wu-ftpd? Just
> because you can serve a file as quickly doesn't
> mean that it comes anywhere close to handling
> all the features that wu-ftpd. Sit down and try
> to write tens of thousands of lines in a
> so-called "modern language" and you'll be back
> to C.

I'm not calling myself an expert. It was a total joke to write the ftp daemon; it took me a weekend and it didn't involve any kind of research or learning. I just did it. It would be pretty easy to support the rest of what wu_ftpd supports, but as it is I am RFC compliant and I don't need to support any of the archaic character encodings or dubious "features" (like SITE EXEC) that wu_ftpd supports.

I did it as a proof of concept -- it's easy to rewrite software from scratch, and it's easy to do it in high level languages, and the resulting performance is more than acceptable. (And of course the code is nicer and the applications are more secure!)

I have written tens of thousands of lines in Standard ML, and I don't plan on going back to C! In fact, we're working on a compiler that's over 100,000 lines of code, and I couldn't imagine managing a similar project in C (nor can I imagine how long it would be!!)

Basically, it sounds like you have some more learning to do about what is out there.

Re:Performance of network software

1. Wrong. Sshd uses a significant amount of cpu time for file transfers, a la scp.
2. Well, I have a 266Mhz PII, and saturate my CPU using Blowfish (cheap encryption) below 10Mbps. I think you aren't actually using encryption. :-)
3. I *do* care. If all my software uses 2.5 times as much CPU, my 266Mhz processor has just been converted to a 100Mhz processor.
3. Bugs are going to happen. It may be like WinNuke on NT, where the system just dies in a DoS, but they still have to be patched.
5. If SML is so little slower and so much faster to develop in, why aren't games being written in it? They have tight development time, and if you're right, the speed isn't an issue.

Re:Performance of network software

[lkaos]

Modern language does not mean interpreted, and especially doesn't mean Java. There are plenty of open source modern languages - Ada (GNAT), ML (SML, O'Caml), Eiffel (SmallEiffel).

When in the world did Ada become a modern language???

I beg to differ about C being less efficent than assembly. Anything that can be done in assembly can be done just as effectently in C. The only time assembly is required is for odd-ball processor specific optimization.

Garbage collection is really overrated. Well, full blown GC atleast. One can write a C++ program and never use a malloc/new almost in every circumstance. It also encourages use of the stack as opposed to allocating everything in the heap which is much more memory efficent.

C is a great language. C++ is a better language because it has many more features. C++ has any (and probably more) features than SML, ADA, & Eiffel. The reason people don't like C/C++ is simply because one can do bad things in it. A language shouldn't be gauged on how idiot-proof it is though.

Re:Performance of network software

[dvdeug]

The issue is not necessarily efficency. It's about control.

And again, assembly gives you more control than C. If it didn't, then you wouldn't see Linux (the kernel) developers show up on the GCC lists every so often complaining about the latest (ISO C legal) optimization that broke Linux.

The fact is, you can do ANYTHING in C.

Duh. In its weakest sense, that's trivially true - all programming languages have the same power as a Turning machine. In a stronger sense, it's not true - there are parts of the kernel written in assembly because they can't be written in C. There's no way to use the hardware BCD commands from C, short of inline assembly. (And, yes, C is not the only language to let you use inline assembly.)

If you want garbage collection, get a library, or make your own. [...]

And then I end up using a kludgy half assed solution that's either non-portable, painful to use, and/or increadibly slow. Gee, thanks. A properly garbage collected language will be faster and more reliably garbage collected than anything you can do with C.

it's not any worse than using a language that supports those features because in all likelyhood that "other" languages was written in C.

Huh? Besides the incorrect assumption that all compilers and interpreters are written in C (a huge number bootstrap), there are worlds of difference what can be done with built-in syntax and hacked up macros and functions. The built-in syntax usually runs faster (since the compiler knows exactly what to look for to optimize), is usually more convienent to use, and nobody accidently uses malloc or native arrays if GC and bounds checking are built in.

Re:Performance of network software

[dvdeug]

When in the world did Ada become a modern language???

Why isn't it a modern language? It's got object orientation, templates, all the features you'd expect out of a modern language.

I beg to differ about C being less efficent than assembly. Anything that can be done in assembly can be done just as effectently in C.

Can I have what you're smoking? A person with unlimited time can always beat a compiler at optimization, if only because he can look at the compiler's output.

C is a great language. C++ is a better language because it has many more features.

So you can measure the goodness of a programming language by counting features? Then PL/I is much better than C. Why did so many people use C then?

C++ has any (and probably more) features than SML, ADA, & Eiffel.

I take it you aren't familiar with those languages? Among other things, Ada has tasking and Eiffel has preconditions and postconditions, neither of which are in C++.

A language shouldn't be gauged on how idiot-proof it is though.

There are no perfect programmers. If many good programmers make a particular style of error that results in a root hole because of a language, perhaps some other language should be used. The other solution, hire only perfect programmers, doesn't work because they don't exist.

Re:Performance of network software

[lkaos]

Why isn't it a modern language? It's got object orientation, templates, all the features you'd expect out of a modern language.

Just because a language is object oriented, doesn't mean it's a 'modern language'. The object oriented paradigm isn't the only paradigm out there.

As you mentioned yourself, Ada does not have a garbage collector and it also doesn't have any real mechanism for security (to provide os-independent security mechanisms as java does). You may say it's object oriented, but it doesn't support MI, partial specialization, or operator overloading. Not to mention the fact that Ada is a little old to be considered modern :)

So you can measure the goodness of a programming language by counting features? Then PL/I is much better than C. Why did so many people use C then?

PL/I is just an ugly language. C is a very natural language.

Not necessarly quanity of features but richness of features. As far as OO is concerned, C++ supports a huge amount of OO features (specifically regarding templates) that most other OO simply don't support.

While C++ doesn't support all OO concepts (double-dispatching is the most obvious feature feature that's lacking), it supports a lot more than other languages.

There are no perfect programmers. If many good programmers make a particular style of error that results in a root hole because of a language, perhaps some other language should be used. The other solution, hire only perfect programmers, doesn't work because they don't exist.

People villianize C/C++ because some bad things can be done in it. The fact is that there is an aweful lot of code written in C/C++ and the percentage of exploits to number of SLOCS of C/C++ is not as high as many would like you to believe.

This article is not an example of a root hole. I have worked on very large C++ programs with relatively inexperienced programmers and we never have serious problems with there code. Of course, we don't have problems because we have rules about not using the dangerous features of C++ (such as direct array indexing or unchecked dynamic memory allocation). Likewise though, having access to those features allow for extremely efficent code to be written by more experienced programmers.

A language's goodness is not gauged by how idiot-proof it is, but in how scalable it is to both the beginner programmer and the more expert programmer.

BTW: Ada doesn't

Re:Performance of network software

[dvdeug]

The object oriented paradigm isn't the only paradigm out there.

True, and interestingly enough, Ada supports all the paradigms that C++ does - procedural, object orientated, generic.

You may say it's object oriented

Are you claiming it isn't?

but it doesn't support MI, partial specialization, or operator overloading

Partial specialization has nothing to do with object orientation, and Ada does support operator overloading, and always has.

The fact is that there is an aweful lot of code written in C/C++ and the percentage of exploits to number of SLOCS of C/C++ is not as high as many would like you to believe.

That's not an interesting number. The absolute number of exploits is much more interesting, and it's much too high, and too many of them are the same old buffer overflows.

having access to those features allow for extremely efficent code to be written by more experienced programmers.

But I have access to those features in Ada. I just have to turn array overflow checking off. Unsafe features just aren't the default.

Re:Performance of network software

Exactly.
Similarly, when was the last time you wrote something in TeX? The "hacked up macros" of LaTeX make TeX much more convenient.

Re:Performance of network software

Write a matrix multiplication function in sml to handle 5000 x 5000 arrays. I don't think you'll get a 20% slow down (or even 2x), it will be much, much worse (I did a test in java for the hell of it ages ago and it was about 50x slower, which honestly isn't that bad considering all the crap a byte compiled language has to do extra).

My point is only that SOME applications need that extra speed (of course, since I tend to do mathematically programming I see it more often than most) that c gives.

Just my $.02

Re:Performance of network software

1. Wrong. Sshd uses a significant amount of cpu time for file transfers, a la scp.

True encryption, when used, is a bottleneck. However it's exactly the candidate part of code to be written not only in C, but in assembly with MMX/SIMD/whatever extensions support. Once you've done that, since it's the bottleneck, writing the remaining of code either in assembly, C, or a decently fast language doesn't give you any noticeable speed advantage. So you could choose to go for a language going for safety, maintenance ease or development speed.

2. Well, I have a 266Mhz PII, and saturate my CPU using Blowfish (cheap encryption) below 10Mbps. I think you aren't actually using encryption. :-)

Then you are using a very suboptimal implementation of Blowfish (which puts my answer to 1 in perspective). Here is what you can get with assembly: Fast implementations of encryption, which is not that much less than standard C code except for a few algorithms (where you can get x4 speedup due to paralellisation). You should fill 100 Mbps with Blowfish and your computer.

5. If SML is so little slower and so much faster to develop in, why aren't games being written in it? They have tight development time, and if you're right, the speed isn't an issue.

Managers want easy-to-swap programmers. That's often is a prime requirement even before software quality, even if actually it makes the company less likely to succeeded. Usually only demands of utmost security can prime over this requirement. But still, for instance, for in-house developing of Doom,Quake,etc... Objective-C have been used ; some games use a Lisp interpreter/compiler. It has not to be SML per see, almost all modern language are higher level than C.

Besides marketing hype, the problem is also economical (fewer SML, Lisp, Smalltalk, Eiffel, ... programmers); not technical. That's why Windows has been so successful all the way to nowadays ; enough to sensibly improve.

Re:Performance of network software

My point is only that SOME applications need that extra speed (of course, since I tend to do mathematically programming I see it more often than most) that c gives.

If you want fast 5000x5000 matrix multiplication, you're better use assembly and Pentium III+ SIMD instructions. The difference between assembly and C will likely be greater than between C and SML. See also Matrix multiplication test, which shows OCaml (SML derivative) is about 30% ("The OCaml solution is just as fast as the C/C++ solutions, until we add the -funroll-loops optimization option to our gcc/g++ programs, which naturally gives them a small advantage.").

My point is only that SOME applications need that extra speed (of course, since I tend to do mathematically programming I see it more often than most) that c gives.

Why not use assembly then? And you are assuming also other languages than C are noticeably slow, which is wrong at least for OCaml, one of the faster implementation of a ML-type of language [it compiles directly to machine code, and has support for Itanium, among other things]. Also no one prevents you to write subfunctions in C or in assembly.

Re:Performance of network software

Depending on the language, yes they do prevent you from
writing subfunctions in C. Most of my programming is actually
done in perl or tcl/tk where I can write stuff
in C easily and link it (and from time to time
assembly).

As for the ocaml info, thanks, I didn't know y'all
had optimized it so much. It's great to see folks
using languages other than c (or fortran) to do hard math
calcs (hard in computer usage). It does surprise me that you don't incur any performance hit, having to check bounds each time you look at matrix entries, however.

Re:Performance of network software

Can I have what you're smoking? A person with unlimited time can always beat a compiler at optimization, if only because he can look at the compiler's output.

Looks like you've already had your dose of whatever stuff it was. _PERSONS WITH UNLIMITED TIME DO NOT EXIST IN THIS WORLD_.

Re:Performance of network software

[zerocool^]

hrm
is it bad if sshd has used about twice the time that httpsd has?

~z

Yes, of course I read the patch.

[Tom7]

Yes, I read it. The bug is that they write outside the end of an array.

A modern language would not catch this bug (unless you were using a data structure like a search tree instead of an array). However, it would make it NON-EXPLOITABLE, because a safe language would cause an error (ie, exception) on an out-of-bounds write, not corrupt the heap or stack and allow for an exploit.

Re:Yes, of course I read the patch.

[frank_adrian314159]

However, it would make it NON-EXPLOITABLE, because a safe language would cause an error...

Which would allow it to be used in a DOS exploit. Imagine every time you opened an SSH connection, within 10 seconds it crashed. This is still an exploitable defect, though in another manner.

This is not to say that modern languages are not a good idea, just that they are not panaceas (or placebos, if you are a /. editor :-).

Re:Yes, of course I read the patch.

[adubey]

Right. You have two choices:

1) Getting a root exploit and not knowing about it.
2) Getting a DOS attack, and having a log file say exactly how the attack was occuring (because SSH was logging all the errors into a file).

Hmm... maybe number 2 isn't a panacea or placebo, but maybe it is better than you're making it out ;)

Re:Yes, of course I read the patch.

but maybe it is better than you're making it out

Which is exactly what many of us would say about writing servers in low level languages.

Re:Yes, of course I read the patch.

[Florian+Weimer]

A modern language would not catch this bug

Languages with array types tend to avoid such bugs because you can test for the validity of an array index using special constructs ("Channel_Id in Channels'Range" or something like that), and you don't have to resort to comparision operators.

Re:Yes, of course I read the patch.

You mean it's redundant, since you have to write both the code and its verification (and that's OK).

I'm not.

[Penguinoflight]

I was making a reply, to an idea that somehow this worm is going to spread all over the place because it's well documented, etc. I'm not running a corporate network, so I don't worry about it.

Why do yoWhy do you think IIS is so vulnerable? Because admins think they don't need to worry about it.u think IIS is so vulnerable? Because admins think they don't need to worry about it.

Let's see here, who wrote ISS? The same people who think you shouldn't publicize bugs EVER. ISS is insecure because Microsoft doesn't care, not because they are proud, or because administrators are lazy.

FYI: my box may have been exploited by this

[umoto]

Two weeks ago my Mandrake box, connected to a cable modem, was rooted. The only port open to eth0 was ssh (openssh-3.0.2p1). I analyzed the logs and they indicated someone had spent an hour trying to exploit various SSH bugs that have been fixed in the past. Then there was an 8 minute pause before "linsniffer" was installed and eth0 went into "promiscuous mode".

I haven't been able to verify openssh-3.0.2p1 was truly the cause, but it seems likely. This may have been the remote root exploit which the advisory "does not rule out".

Re:FYI: my box may have been exploited by this

OK (and I asked this to the previous person posting here who claims to have gotten rooted by this exploit), How can this be a remote exploit if the you need an existing user account to gain root privileges?

I'm not saying that there may be some other remote expoit for openssh-3.0.2p1, but this one clearly states that an existing login is required.

Re:FYI: my box may have been exploited by this

[umoto]

According to the advisory, "Exploitability without an existing user account has not been proven but is not considered impossible."

I'm continuing my analysis and I'll reply to my original comment if and when I find out any more info.

Re:FYI: my box may have been exploited by this

If you learned to read in grade school, you'd notice that a remote exploit has not been ruled out. Therefore, the prerequisite of having an account is, well, non-existent.

Re:FYI: my box may have been exploited by this

[m_ilya]

Are you sure that you were exploited via ssh? AFAIK to exploit this hole attacker must have opened ssh session. It means that only to exploit it attacker must know login/password on your box.

Re:FYI: my box may have been exploited by this

[bigberk]

I believe there are various weaknesses if you use SSH1 connections (spoofing vulnerabilities) that may have led to interception of your login info. Once an attacker has any local user account, a linux system is good as gone.

Edit your sshd_config so that it accepts SSH2 connections only.

any more details?

[JPriest]

I don't know c but would I looked at the patch and would I be correct to say that this means it was

Integer id
if id is greater than (>) allocated memory on the stack then return null

when it should be Integer id
If id is greater or equal to (>=) allocated memory then return null and log it.

hence the off by one?

If this is incorrect (likely case) then please correct me, and could someone clear up what the channel_lookup function is used for to maybe give a better on this being possibly used as a remote compromise. And would I be correct to assume regardless of local/remote access theat the user would first need a valid account on the system prior to attempting to escalate privileges? This advisory is hardly complete.

Should be "between vers. 2.0 & 3.02 **INCLUSIV

[Zocalo]

Given that OpenSSH.org just released v3.1 to fix the exploit.

And I thought it was just about time to go home too. Now I'm warming up my compiler... :-(

No need to give up

[Fritzy]

As I scan through, I see several posts of people giving up hope, and even those showing signs of dispair because they have an ssh server that they don't want to remove that service from. Fear not my friends. Simply download the rpms (openssh, openssh-askpass, openssh-clients, openssh-server) and give it an old rpm -iU openssh, openssh-askpass, openssh-clients, openssh-server It'll update everyting for you /and/ restart your services real quick. Or, if you feel like being a man, you can compile the sucker, and copy over the older versions and restart the services manually. Either way, there is no need to dispair. You're not going to lose your ability to serve ssh securely to your users. Of course, this comes as no news to most of you, but just wanted to explain it to the people who didn't seem to understand.

Here's the patch....

[seek31337]

From FreeBSD's port archive, this will fix 3.0.2:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA- 02:13/openssh.patch

Re:I submitted this earlier and it was rejected

Usually, trolls really piss me off on a sheer annoyance factor. But this is the funniest fuckin' thing I've seen on /. in a long time.

I'm going back to telnet

[cluge]

How many exploits can one "secure" softare package have? I mean jesus, BSD is fairly secure and this project is supposed to have BSD style security checks. What went wrong.

Information like this makes me

A. Consider purchasing SSH from a commercial source because the AMOUNT of problems with it is less

B. Going back to telnet!

Not many people out there with sniffers between my box and my connection. Lots of l33t haX0rS with worms probing port 22.

Re:I'm going back to telnet

[marsvin]

A. Consider purchasing SSH from a commercial source because the AMOUNT of problems with it is less

SSH is complex software; it's bound to always have bugs. OpenSSH just gets audited more. At least this way, *everyone* knows about them, not just the black hats.

Re:I'm going back to telnet

[gypsyx]

Think back to the recent /bin/login CERT advisory. Telnet and the R-services use /bin/login. Telnet was, therefore, exploitable on many boxes.

Re:I'm going back to telnet

[EllF]

Interesting approach. Information like this makes me extremely glad to be using OpenSSH, because I know that this exploit is now well-known and patchable, as opposed to being buried deep in some "Service Pack" style patch and not documented. I immediately took down my 'net-facing SSH machines; how long would they have been vulnerable if some commercial entity was responsible for informing me that their code was flawed?

That's really the best part of open-source software: bugs are more apt to be found, as more people can look for them. Maybe not *you*, but someone. I know I've been able to look at the source to apps I find myself questioning; just last week I ran through the esound code to figure out if it was subject to buffer overflows at a certain point. :)

The "AMOUNT of problems" reported may be smaller with a commerical program, but that does not mean that there are fewer bugs in the code. Commerical code is not inherently more secure, and telling customers about fewer existant problems doesn't magically make it so.

Re:I'm going back to telnet

[gid]

Openssh has had many "problems" because of how closely the OpenBSD people scrutinize their code, and because they're open about it. Not because it's insecure.

Would you rather only 15 people knew about an exploit on a closed source daemon? It would never get fixed then. And you'd never know what hit you that way if you did get rooted.

If you feel iffy about ssh using port 22, hide it on port 63234 or something if you want. Sure it's security through obscurity, but it never hurts to have multiple layers of security.

Re:I'm going back to telnet

How many exploits can one "secure" softare package have?

Notice that this qualifies as NEWS? How many times do you see stories about "one more local hole found in Windows"? Does that mean there aren't any?

Re:I'm going back to telnet

[shrikel]

If you're that paranoid, you could keep your SSH, but have it listen on a non-standard port.
Okay, it wouldn't solve any problems, really, except that the 31337 haX0rS' worms wouldn't find you.

I don't know what's sadder.....

[hardave]

the fact that I have to now upgrade ssh on all my boxes, or the fact that the first I heard of this was on /. instead of oh say, BugTraq.
(Of course, what pops into my inbox as I'm writing this, but the advisory on BugTraq.)

About the server

[Tom7]

OK, I'll tell you a bit about it.

> Does the compiler for your favorite modern
> language support binary code optimizations that
> let your ftpd run as quickly as a popular C ftpd

Yes, mlton (for my favorite modern language, SML) produces nice native code. I would guess that my server is no more than 20% slower than a C server implemented the same way.

> Does it have a GC thread that might kick in and
> cause delays?

There is no GC thread in typical SML implementations. GC happens when an allocation fails because the heap limit is reached. GC times are typically very small (especially when amortized against essentially free allocation compared to malloc()), and in fact the compiler I'm working on at school has a real-time GC. But do you really need real-time guarantees for an FTP server? The actual transfer portion doesn't even do any allocation.

My ftpd can easily fill my 100Mbps connection at school without breaking a sweat. I don't know how many users it can handle, though.

> Or did you just use bounds-checked C++ arrays
> and strings?

C++ wouldn't guarantee safety, even if using bounds-checked arrays and strings, since you can still do things like a double free of memory. Also, I find that C++ lacks many features that make writing software much nicer in SML, but that is of course a subjective thing.

That said, my ftpd would probably need more enhancements to support a *really* popular ftp site. But I think that would not be so hard; in fact, easier than C. My server is intended for the 95% of users who run a home machine and need to transfer files from time to time, but DON'T want to get rooted because they aren't up-to-date on patches. I would be VERY surprised if there is any exploitable bug in my daemon.

(Also, I think FTP sucks too. I just did it because it's a relatively simple protocol, and at the time (summer 2001) ftp servers seemed to have the highest profile security holes.)

Just saw my first BFA

[hardave]

Okay, looks like they've started using those big fucking ads. First impression, the size of them doesn't really bother me, but the placement of them does. They just seem to kill the flow of a page. Personally I think it might be better if they could shove it off too the side in one of the sidebars.

Excellent, thanks! **PLEASE MOD PARENT UP**

[TomatoMan]

Thanks for this superb explanation. Moderators, please mod it up so other people can see it - there may be people out there who don't want to upgrade because they're worried about this.

No, you're wrong...

[Tom7]

I read the patch. It is not a buffer overflow in the traditional sense of strcpy, but it is an out-of-bounds write. You might consider that a buffer overflow, but maybe not. (Did I even call it that?)

Read my post again: I said that this error would NOT BE EXPLOITABLE in a modern safe language. You can still make the error, but the array write would be checked and would result in some kind of defined behavior (ie, an exception). This is true of buffer overflows as well.

How embarrassing for them...

[pclminion]

How can something like this make its way into OpenSSH?! Off-by-one? It might be a common error to make, but I would think that people writing security software would constantly be thinking to themselves about the consequences of these kinds of errors.

It's also a real bonehead mistake. Everyone knows that to iterative over an array of n elements, you do this:

for(i = 0; i < n; i++) { ... }

And everyone should also know that the array indices for an array with n elements range from 0 to n - 1. The actual mistake was something like this:

if(idx < 0 || idx > arraySize) { error(); } else { ... }

I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I loop over arrays I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece of security software. How completely embarrassing.

Re:How embarrassing for them...

[Mike+Buddha]

If you think you can help, why not pitch in, instead of merely complaining? Your complaints, although valid, aren't of much use to anyone after the fact (and they do sound conceited and self-righteous, considering how little you've offered to the community, thusfar).

Re:How embarrassing for them...

[Sloppy]

And everyone should also know that the array indices for an array with n elements range from 0 to n - 1.

People who only use C and C-like languages, surely have that burned into their brains. But if a programmer switches between a number of languages (not everyone's arrays start at 0) I think it's understandable that someone might:
if(idx < 1 || idx > arraySize) { error(); } else { ... }
at least that would be consistently wrong.

As for looking at bad code and having a "subconcious SCREAMING reaction", it sounds like you'd be a useful auditor, then. Get to work; find the next OpenSSH bug so that I don't read about it on Slashdot next year. :-)

Re:How embarrassing for them...

[Pussy+Is+Money]

but when I look at this I have an almost subconscious SCREAMING reaction.

Too bad you didn't look at it then, you poofta.

Re:How embarrassing for them...

Listen to this shit! Why the fuck should he have to audit and fix every fucking bug (All 10,000 of them) in the "Linux" distribution (take your pick). What the fucking hell aren't the goddamn coders responsible? I thought that Linux was beyond reproach. Completely stable and secure (Anyone reading /. would get that impression by reading these comments.) Just because your world of FUD has broken down (yet again) don't try to blaim the people that point it out!

Couple things

[clump]

The most important thing to realize is that when a machine is comprimised, it cannot be trusted. You may think that you were running only OpenSSH but you may have been runnning other services started a long time ago. I would be curious to know what kind of logs you had to go by to see what this attacker did. Slightly-smart ones clear every trace.

Also of note is that this particular advisory is known only to affect local users. I don't think this particular bug is the cause. It may have just been a friend shoulder-surfing.

If you want to do analysis on a cracked machine, you should place the hard disk into a different machine and examine the contents.

Re:Couple things

[umoto]

I realize that, but this particular attacker did not cover his tracks very well at all. And this advisory says it does not rule out the possibility of a root exploit.

All the clues point to this bug, but I have no scientific proof that this bug was the cause, so I can't say much more. Only that there was a chance.

Score 3? LOCAL root, L O C A L.

[Nijika]

That is all..

I'm glad I use MS telnet instead

Gee whiz!!!
With all these holes that have been found in openssh I am glad that I use telnet.exe. I do not believe that there have been any holes found for this robust application. Also runnning a telnet server on W2K is totally cool. All you unix fools running openssh deserve what you get owned!!!

Re:I'm glad I use MS telnet instead

This is nothing but a fucking troll!!!! You shithead

Re:I'm glad I use MS telnet instead

[PFAK]

Can we spell LAMER. MS HAS More damn exploits then any other corporation in the world with all their software. Roothat (Redhat) is more secure then M$ Winblows. Fscking troll!

Re:I'm glad I use MS telnet instead

[wallshot]

Don't be so sure redhat's less buggy. Redhat loves to put beta software on their distros, cares little for testing before implementing, and in conclusion i can only say one thing to prove the lack of care for decent OS on redhat's part: `grep linuxconf /etc/services`

Now after about 20 mins of re-configuratin and turning crap off, redhat MIGHT be secure.

Re:I'm glad I use MS telnet instead

Sorry, but putting stuff in /etc/services does nothing but describe the port it runs on....

Not that redhat is secure, but that's crap

Get A Terminal Server

[mikeplokta]

The best answer only works if you have more than one box at your colocation facility, and involves buying another box. Buy a terminal server. Connect it to all the serial ports on your other devices. Secure access to it thoroughly. Now, you can telnet to the serial port on a box from another box -- with decent hardware, e.g. Sun Netras, you can even powercycle it if you need to.

Being helpful and encouraging security risks

[SomethingOrOther]

I guess I should know better than to let my helpful side show on slashdot.

You may have had the best intentions, but in reality (by uploading untrusted SSH binarys) you are encouraging people to take stupid risks.
Its farily obvious by uploading the binarys that you are not a security expert :-)

Please THINK!!!

Re:Being helpful and encouraging security risks

[Mr_Perl]

You may have had the best intentions, but in reality (by uploading untrusted SSH binarys) you are encouraging people to take stupid risks.

They're very trusted. I downloaded them from the vendor's site and built them myself. Anyone who trusts me (note the link to my homepage if you care to do research on myself or my company) can go download them. Anyone who has doubts can wait a week for their distro to put out updated RPMS.

I think anyone like yourself can be an armchair "security expert." Come up with something USEFUL yourself instead of whining at those of us who are trying to make life easier for others.

Re:Being helpful and encouraging security risks

[BobNET]

Let the people take stupid risks if they want. If there is malicious code in there, then I guess they'll get what they deserve!

Or does "getting what they deserve" only apply to IIS users?

Re:Being helpful and encouraging security risks

Just ignore him. He's an idiot. The die-hard security nuts will simply disable openssh for two weeks and wait for a tested distro release, anyway. The rest of us will keep doing work.

Damn, I really want to upgrade to something newer than RH's 2.9, but every time I try, scp breaks.

Denial of Service vs. Root Exploit

[Tom7]

Actually, I don't care much about DOS "exploits", especially ones that require the attacker to expend resources to keep the attack up. It's pretty simple to flood my connection and make my computer unusable anyway.

In the case of SSHD, the situation you described wouldn't happen -- it spawns a new process for each connection, so an exception thrown in one wouldn't cause the others to be dropped. The attacker would merely be using up your resources.

A programmer in a modern language has plenty of choices, too. He can catch exceptions and restart the server. He can log them. And of course, the users are safe from being rooted until a patch is out.

This is why I use commercial SSH!

Doesn't affect me as I use SSH Communication's SSH. Additionally, the SSH's source code is much more efficient and cleaner than OpenSSH's "spaghetti" source code. I get 8X the thoroughput on sftp xfers with SSH versus OpenSSH using equivalent hardware. The only advantage to OpenSSH that I can see is it is free.

Re:This is why I use commercial SSH!

[jjeffrey]

Free software dosen't usually mean bad software, e.g. QMail

Commercial software often dosen't mean good software, e.g. Windows.

Re:This is why I use commercial SSH!

[dmiller]

You'll probably get faster sftp xfers with 3.1, we do overlapped read/writes now.

Re:This is why I use commercial SSH!

[WildBeast]

You should read a letter than Linus wrote a few months ago.

Or use Kerberos

[fw3]

Kerberos developed at MIT and used in many (most?) large-scale production systems. Source available.

Kerberos has been around since '88, opensource (MIT license). It is not developed at the breakneck pace of the more modern SSH and to my knowlege has had fewer exploit bugs in 14 years than the assembled flavors of (commercial *&* open) SSH have exhibited in the last 2 years.

Krb5 is not slick as SSH, you can't use it for a poor-man's VPN; it uses a more expensive cypher (3DES) for both auth and fully encyphered network connections. Rsh, rlogin rcp all available with strong encryption. It's not as easy to setup, nor well suited to very small networks but for my money where applicable it's a far more solid solution.

And yeah OpenSSH's seriously checkered security record has done very little to make me think of applying OpenBSD .. thoughts?

Exploiting scenario

[pmf]

After analysis, I can say, that this vulnerability is 4 bytes heap overflow, VERY hard to exploit. Problably only Linux will be affected, because Doug Lea's malloc() depends on control structures located just after malloced buffer.

Re:Exploiting scenario

[gooofy]

is this really just a 4 bytes heap overflow or can the "semantics" of this channel struct also be exploited, e.g. to take over someone else's tcp connection?

Re:Exploiting scenario

[pmf]

Each user has it's own fork()ed copy of sshd running, so overflow can occur only in your own copy of sshd. The ONLY way to exploit it is to fool glibc free() by overwriting fd->prev or fd->next pointer.

Re:I submitted this earlier and it was rejected

pussy

Nifty banner ads!

Imagine a bewoulf cluster of those new banner ads...

Measuring the actual CPU time used by sshd

> If someone knows a way I can measure the actual time spent by the daemon, I'd like to hear it, but I assume for now that it is *very small*.

Just open top and press T to sort by CPU time and S to turn on accumulation. The time displayed now is the CPU time accumulated by the processes and all the spawned children. On my server (up 2 days) it is 39 seconds for sshd. A bit more than I would have thought. ;-)

Hope that helps ;-)

Re:Measuring the actual CPU time used by sshd

[Tom7]

A friendly AC writes,

> Just open top and press T to sort by CPU time and
> S to turn on accumulation. The time displayed now
> is the CPU time accumulated by the processes and
> all the spawned children. On my server (up 2 days)
> it is 39 seconds for sshd. A bit more than I would
> have thought. ;-)

Great!

According to my computer, sshd has used about 31 seconds of cpu time per day since I booted it months ago. Considering that I always have several ssh connections into it and often transfer large files via SCP, I think that's not very much at all...

Re:Measuring the actual CPU time used by sshd

I occasionally scp files, but often use X tunnelled over ssh.

My sshd has accumulated over 2 hours/day, and I only use this box remotely 2-3 days/week!

This is on a p4-1.5Ghz, so those hours actually mean something. People running sshd on older hardware will care even more.

MacOS X

[jjeffrey]

MacOS X 10.1.3 (latest version as of now) includes OpenSSH 3.0.2p1. I wonder how long before Apple get a patch out... I don't really want to rebuild from source on MacOS X, even though it did only take 5mins to build 3.1p1 on my FreeBSD firewall.

Re:MacOS X

[ChrisDolan]

No luck with fink.sourceforge.net either. They're at 2.9.9p2.

I would like to file a complaint

Actually I have two complaints:

1) I run Mandrake. Mandrake is based on RPMS packages. If I want an upgrade I require an RPMS package, not some patch file. Yes, I know I can compile the stuff from the source but installing a self-compiled package fucks up the RPMS registry. For instance, if I remove OpenSSH RPMS package and install the patched source code version, all the OpenSSH dependencies in other packages will be broken because the fucking installation system doesn't know about the compiled OpenSSH version! It's always a choice between having either locked in RPMS system or totally user-unfriendly system based on binary packages. Fuck it.

2) Why is it that all the Gnome mail clients fail to mark the posts on the server as read? It's almost like they assume that "of course the user wants to delete all the mail from the server". Well, not me. I want to be able to read my mail from log-in account as well as at home via a POP download. KMail doesn't seem to have a problem with this. So what's up with the Evolution and the rest of the Gnome mail clients? Fuck them.

Re:I would like to file a complaint

1. Ever tried 'rpm -ta SomeProg.tar.gz' ? You ll be surprised... It ll produce an rpm from source... I think that this might the option you are looking for...Next time RTFM...;-)

2. Use Mozilla (Netscape) Mail, it has the options you require...

3. DONT USE MANDRAKE! Debian rulez...

Regards

AC

Re:I would like to file a complaint

Mozilla is too fucking slow and bloated. I would never even dream of installing that monstrosity on my laptop.

Mandrake is the only distribution that can actually detect the hardware and install the proper modules for me. With the exception of the apt-get, Debian is from the stone age. I can't even get it to install on modern desktop computers and it has a fucking ugly and user-unfriendly installation GUI to boot.

Re:I would like to file a complaint

Dude, you do not need a fucking user-friendly GUI to install Linux. Quit being a fucking queer fuckhead. USe Debian. It is fucking sweet. Fuck Mandrake and its shitty unsupported rpm system. I have a fucking Mandrake 7.2 system and they don't even release patches for it anymore. I am fucked unless I upgrade to the fucking shitty Mandrake 8.1 which fucking SUCKS compared to Debian 3.0 woody dude. Fuck off.

Ha ha, ignorance is funny.

[Crag]

If there were such a thing, it would use ucspi-tcp, not an additional inetd replacement, and like qmail. Ucspi-tcp provides functionality that inetd doesn't, and maintains the "connection handling" vs "services" separation that inetd provides. It is a natural step to replace parts which do not provide whatever is needed, and to reuse those parts.

Also, qmail's division of the jobs into multiple independant modules makes security analysis and improvement of the whole package much easier. Every module is completely and explicitly documented in man pages and numerous web pages, so even a less advanced programmer like me can write a wrapper for a module to add funcionality to. The risk of unexpected consequences is FAR lower because modules have their own UIDs.

If there's a good reason for it, why not do it?

Re:Ha ha, ignorance is funny.

Well, aren't you just a barrel of laughs...

How is this offtopic?

[Pinball+Wizard]

I just got the exact same thing compiling for OpenBSD 2.7. Yes I installed the patch first. Any ideas?

openssl version required in INSTALL is *wrong*

[gskouby]

In INSTALL it says you need openssl-0.9.5.
That is wrong, you need openssl-0.9.6 or it
won't compile.

ignorance and self deceit

[wallshot]

Over the course of my years of slashdot reading, I have noticed that while many are quick to point out interesting tidbits on the negative aspects of OS's, Software, and Hardware. While these reviews and notes are useful, it seems that nothing is as unbiased as it might seem.

MS exploits often announced on here (yes i like to know about them) and in this case open's dev team mistakes are also what I consider news, however I cannot remember the last time anybody pointed out the dangers of RedHat. While every new version of a linux distro is waved about with great expectations and cheer, other OS's are actually being analyzed for the bad as well as the good. I won't say that nobody posts unbiased articles, and I will even admit that if every stupid needless redhat exploit were listed on slashdot, RedHat would look as bad as Windows. Almost every OS and piece of network software has exploits, and very VERY few developers ever get it right the first time. I just wonder why it's so easy to see all of the mistakes for software that we may not (choose/want to) use while pretending all those dozens of RedHat exploits we had to patch never really were a problem.

Those who even bothered to reply to this newsworthy post with openbsd-bashing, are the ignorant monkeys of the open source community and have obviously never really compared UNIX's in the server world.

Those who bothered to reply to this stating that C is the wrong language to code in bring up minor points and expect the code that drives the internet to change. C is small cpu load and if it turns out buggy, it is the developers fault. But to expect software developers who write based upon existing libraries and code concepts they have developed over decades of work to stop and try writing their apps in an experimental (and YES, pretty damn potentially exploitable itself being so new) language is just silly. PHP is "a modern language" and was just recently found exploitable despite years of development in the PHP arena. IMAGINE the chaos if the development language that your OS/net apps were written in was found to be buggy? To date I have not had to download a new version of gcc and recompile my OS/kern/3rd party apps due to a "C vulnerability". Using experimental non-prooven ( 10 years?) languages for OS/kern/apps is a pretty stupid risk.

Re:ignorance and self deceit

[dvdeug]

But to expect software developers who write based upon existing libraries and code concepts they have developed over decades of work to stop and try writing their apps in an experimental (and YES, pretty damn potentially exploitable itself being so new) language is just silly.

Huh? The first Ada standard came out in 1983, 6 years before the first C standard. The latest Ada standard came out in 1995, 4 years before the latest C standard. What's so experimental about that?

I have not had to download a new version of gcc and recompile my OS/kern/3rd party apps due to a "C vulnerability".

I take it you missed the whole remote hole due to globbing bug in glibc issue, then?

Using experimental non-prooven ( 10 years?) languages for OS/kern/apps is a pretty stupid risk.

So Kerrigan and Richtie were pretty stupid for writing their new OS in C, weren't they? They should have stuck with assembly and Fortran, should't they?

Somebody's got to prove the things. Considering the number of security holes due to things in C that other languages would prevent, and the comparitive rarity of compiler security holes (and it's a lot easier to fix bugs in one code base than a thousand), I'd say you're looking pretty good.

Features in latest release

[young-earth]

Version 3.1 has as its changelog (READ THIS, there are path changes etc. that you need to know about!):

Important Changes:
==================

- /etc/ssh/ now default directory for keys and configuration files
- ssh-keygen no longer defaults to a specific key type (rsa1);
use ssh-keygen -t {rsa,dsa,rsa1}
- sshd x11 forwarding listens on localhost by default;
see sshd X11UseLocalhost option to revert to prior behaviour
if your older X11 clients do not function with this configuration

Other Changes:
==============

- ssh ~& escape char functions now for both protocol versions
- sshd ReverseMappingCheck option changed to VerifyReverseMapping
to clarify its function; ReverseMappingCheck can still be used
- public key fingerprint is now logged with LogLevel=VERBOSE
- reason logged for disallowed logins (e.g., no shell, etc.)
- more robust error handling for x11 forwarding
- improved packet/window size handling in ssh2
- use of regex(3) has been removed
- fix SIGCHLD races in sshd (seen on Solaris)
- sshd -o option added
- sftp -B -R -P options added
- ssh-add now adds all 3 default keys
- ssh-keyscan bug fixes
- ssh-askpass for hostkey dialog
- fix fd leak in sshd on SIGHUP
- TCP_NODELAY set on X11 and TCP forwarding endpoints

So it's not just a bugfix release, is it?

Yep, Redhat 6.2 looks SOL so far.

[festers]

I'm trying to compile it on a RH6.2 server and getting nowhere. Grrrr.

What people say

[MarkusQ]

That's all true, but people still say "one-off error" to mean "off-by-one error".

I don't doubt this. Last time I heard, people were still saying "infer" when they meant "imply," they were still using "you're" and "your" as if they were interchangeable, they were still confounding RAM and hard drive space, and so on. People do all kinds of silly things.

But using words as if they mean something that they really don't just makes you hard to understand.

-- MarkusQ

Re:What people say

[room101]

But you missed my point. You act as if "off-by-one error" is some part of the english language or some sort of technical description; something to get right or wrong. It is only a figure of speech. Thus, one way of saying it isn't much more valid that any other. The only difference being that more people say it one way than the other. Both are just as expressive, it is just that one happens to conflict with a figure of speech used in business (not only technology).

The examples that you use are clear-cut cases of correct vs. wrong, this is not.

Re:What people say

[dman123]

Please stop arguing every one ! Its a mute point. ;-)

Re:What people say

[room101]

#1, just ignore it.

#2, it's moot, not mute

;-)

Re:What people say

[dman123]

And it is "everyone" instead of "every one" and "It's" instead of "Its."

I am sorry but I thought that the bold, italics, and smiley face combo made it show as an obvious attempt at humor.

Re:What people say

It's "humour".

Re:What people say

[MarkusQ]

dman123: Please stop arguing every one! Its a mute point. ;-)

*laugh* Cute.

"Moot point" is another phrase that often irks me, since so many people use it as if it meant "irrelevant" instead of (correctly) using it to mean "arguable either way."

*sigh*

-- MarkusQ

Re:What people say

[MarkusQ]

But you missed my point. You act as if "off-by-one error" is some part of the english language or some sort of technical description; something to get right or wrong. It is only a figure of speech. Thus, one way of saying it isn't much more valid that any other.

According to my dictionary (Oxford Concise English, 9th edition):

one-off adj & n made or done as the only one; not repeated. n a one-off product, event, etc.

The meaning of the phrase "off by one" follows directly from the meanings of the individual words, as given in the dictionary, but only if they are used in this order. The other five ways of ordering them ("one by off", "off one by", etc.) mean nothing.

The abstract used a compound word as if it meant something that it did not, in a context where the dictionary meaning would have been valid but implausible. I infered that they had intended to use the correct phrase (according to the dictionary) and thus, as you note, had "gotten it wrong." That was my point.

You claim that there is no right or wrong way to use the words, that it is "just a figure of speech".

I understand your point, but I dispute it. Thinking that because something is "only a figure of speech" it doesn't matter how you say it can, in many cases, lead people to miss your point. I can even think of a few figures of speech that, were you to alter them slightly, could get you slapped if you are lucky and kicked in the groin if you are not.

-- MarkusQ

Re:What people say

[jesser]

"Moot point" is another phrase that often irks me, since so many people use it as if it meant "irrelevant" instead of (correctly) using it to mean "arguable either way."

m-w.com gives both definitions. Dictionary.com's copy of American Heritage gives both definitions, followed by a usage note that says that the Usage Panel was divided roughly evenly on whether it was appropriate to use "moot" to mean "irrelevant". Several other dictionaries on dictionary.com leave out this disputed definition. My copy of The M-W Dictionary of English Usage says "this sense has become as firmly fixed in general English as it is in legal English" but does not recommend or recommend against the new use.

Re:What people say

[MarkusQ]

m-w.com gives both definitions...My copy of The M-W Dictionary of English Usage says "this sense has become as firmly fixed in general English as it is in legal English" but does not recommend or recommend against the new use.

Among my other eccentricities (I should start a list in my /. journal), I am a confirmed dictionary snob. As far as I'm concerned, Merriam-Webster is the Wallmart of dictionaries--they can be found everywhere, and are often handy, but the quality of what you get there is not always the best.

Dictionary.com's copy of American Heritage gives both definitions, followed by a usage note that says that the Usage Panel was divided roughly evenly on whether it was appropriate to use "moot" to mean "irrelevant". Several other dictionaries on dictionary.com leave out this disputed definition.

What I found was that only the American Heritage gave both definitions. While 59% of their panel favoured the questionable usage, IIRC it was a panel of (mostly) journalists critiquing a sentence about politics. This is more credible source of linguistic wisdom than sportswriters or computer programers, but only slightly.

According to the OED, the point isn't even moot.

--MarkusQ

what's wrong with sshd?

Other than the security hole that was just announced, what reasons are there for not installing sshd on the base system?

OpenSSH?

When they said OpenSSH I didn't think they were so serious...

put ssh on a nonstandard port

[eufaula]

also, to make it harder to find try running ssh on a nonstandard port. look through /etc/services and find a nice one that you arent using and run it there. or make up one. it wont solve these problems, but when there is an exploit and you are not in the position to fix it immediately, it will at least buy you a some time and a drop of protection from the scanners looking at port 22 only.

Re:put ssh on a nonstandard port

Security through obscurity does not work period!!! Best bet is to patch old man........

Re:put ssh on a nonstandard port

[snowpuppy]

Security through obscurity?

If you believe the threat is serious enough, you should turn off sshd until you are able to patch the daemon.

You won't know, and shouldn't assume, that an exploit script will be created that looks for SSH running on port 22 only. So having it run on an unknown port will really only provide you with the illusion that you have some how bought time to fix the problem.

Snowdog

Re:Sigh..

[iamsure]

But they are not listening to an externally accessible port, and thus are not REMOTELY COMPROMISABLE.

compiling for OpenBSD 2.7

I emailed one of the developers. There's an updated patch to use openssh 3.1 for Openbsd 2.7 that will be release shortly.

Full Disclosure: Site doesn't mention exploit?!?

[snowpuppy]

The OpenSSH Website does not make mention of this exploit and the need for users to upgrade.
They do mention the release of 3.1 (3/7/02), but it never says that it addresses security issues.
Although, I am much happier to see a patch than an updated website. :)

Snowdog

Idea I have about fucking yourself

As in - why don't you go do it? Fuck yourself, that is...

Re:3.1p1 doesn't compile on FreeBSD 4.2

same error compiling the SRPM under redat..

3.1 will NOT build on linux

[TheGratefulNet]

fyi:

cipher.c : 497 : structure has no member named `flags'
cipher.c : 497 : `EVP_CIPH_CBC_MODE' undeclared (first use in this function)
cipher.c : 497 : `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this function)
cipher.c : 498 : `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this function)

(sigh)

Re:3.1 will NOT build on linux

[Alioth]

Did you build the *portable* version (not the *BSD version?)

The portable version built cleanly and ran on both my Intel-based Linux system and my ancient MIPS-based Linux system. The *BSD version will not compile on Linux. Make sure you have the right version!

Re:3.1 will NOT build on linux

[gskouby]

Check your openssl version. You need 0.9.6

Re:3.1 will NOT build on linux

I got the same or similiar error.
./configure ran without error but when running make the errors started at:
cipher.c: In function `cipher_init':
cipher.c:200: void value not ignored as it ought to be

And ended with:
cipher.c:498: `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this function)
make: *** [cipher.o] Error 1

I updated both zlib and openssl to the required versions. I ran make clean, and then ran make again and was greeted with the same errors.

I am using gcc 2.95.3, on a 586 with the
2.4.1 kernel originally a RH 7.0 install.

Re:3.1 will NOT build on linux

[TheGratefulNet]

I AM running .9.6 (openssl-0.9.6c)

I configured pam and tcp-wrappers, if that matters.

and yes, I did use the 'portable' version and not the bsd version. still not building on linux.

Re:3.1 will NOT build on linux

Then you probably have old openssl header files somewhere and the compiler picks those up first.

Your EVP_* undeclared symbols are in fact declared in <openssl/evp.h>.

Re:3.1 will NOT build on linux

[dmiller]

How about reporting these to the developers instead of whining on a public forum.

Re:3.1 will NOT build on linux

Let me explain this to you slowly, because you're obviosly a moron with too big a mouth and too small a dick.

1) Get an error message, so go back and check that the dependencies are met.

2) Still doesn't work, check the available FAQs for answers.

3) No answers there so you ask in a public forum if this is a problem that is not addressed in the FAQ but publicly known.

4) If the problem then appears to be new or unaddressed, then you tell the developers.

These people donate their time to open projects and don't need us bothering them with known issues. I am sorry I would rather waste 5 seconds of your obviously plentiful time than 30 seconds of their's.

Re:3.1 will NOT build on linux

[dmiller]

you are wasting both

Re:3.1 will NOT build on linux

[pryan]

Yep, that was my thought, too. It built perfectly for me, and I'm running Debian testing with OpenSSL 0.9.6c.

I wish they'd bring back Red Hat 6.2 RPMS.

[emil]

This was a very strong distribution; I dislike the current requirement that I build the RPMs myself, especially for a major problem like this.

Purify vs Static Analysis

[Tom7]

Purify is a great tool. It makes writing C and C++ programs bearable to me. Unfortunately, it'd be hard pressed to find this kind of error, since you'd need to *at runtime* replicate the conditions under which it's exploited (ie, passing in an id that is out of bounds), in which case you would have pretty easily figured out that there was a bug when your program crashed! In order to get security guarantees you'd need a more thorough static analysis of the code. (In general, the problem is undecidable, so the only practical full solution is to use bounds-checked arrays when the compiler can't determine that the index is always within bounds.)

Re:Purify vs Static Analysis

partial answer: splint

Help! Redhat misery

openssh.org has links to RPMs for 3.0.2p-1.1.

Sadly, this install fails due to a requirement for openssl version 0.9.6b - which doesn't appear to be available from RH - all they have is 0.9.6-9. I realise I could build and install the latest openssl manually, but I'd rather stick with RPMs if possible.

Does anyone know why Redhat doesn't have the required openssl version? Or, even better, where one is obtainable?

Re:Help! Redhat misery

Try rpm -Uvh --force openssh-3.0.2p-1.1.rpm

Outdated, outlived socket API

I for one wouldn't have issues with regards to C if it had a decent toolkit with dynamic arrays, dynamic strings, dynamic hashes, etc. AND if the socket API would be slightly more sane, ie. connect(...), send(...), and that's it.

Re:Sigh..

[slpalmer]

I said nothing about them being remotely exploitable.

I wish they'd bring back 78rpm albums

Get with the year 2002 dude! RedHat 6.2 is DEPRECATED!!!

Somebody should tell Oracle, and many others.

[emil]

Why does RH62 improve on all preceeding and following versions? Let me count the ways...

1. It has inetd
2. It does not have some bizarre mix of 2.2/2.4 kernel components
3. It does not require two separate compilers (kgcc)
4. It does not compile the filesystem driver as a kernel module
5. It runs Oracle 8.1.7 just fine
6. It has an up2date agent that is every bit as functional as the later versions
7. It does not implement stupid firewall rules out of the box
8. It is stable

Lots of people have said that 2.2 was Linux's "sweet spot" and this revision is great for servers - the only thing it lacks is JFS and large files. I use SGI's XFS shim for RH71 for that (should try 72 one of these days).

Re:This oughtta teach you open-source folks a less

[fobbman]

Well DUH it was a troll. Where's a +1 Ironic when ya need one?

Compiling OpenSSH on Solaris

Remove the last blank line in the file version.h.

The buildpkg.sh script in contrib/solaris looks for the version number on the last line of that file and cannot find it.

I'd submit a bug but I can't seem to get on bugzilla right now.

Slackware 8.0

[bjtuna]

Has anyone gotten openssh-3.1p1 to compile and run properly on Slackware 8.0? I got it to compile (with a HELL of a lot of warnings), but when it starts up, it refuses to accept my password.

Anyone seeing anything similar?

Re:Slackware 8.0

[O2n]

You most probably forgot "--with-pam" when configuring...

Re:Slackware 8.0

[bjtuna]

Nevermind, I got it to work:

LIBS=-lcrypt ./configure --prefix=/usr \
--sysconfdir=/etc/ssh

had to put that LIBS= in there... grabbed that off the OpenSSH FAQ.

Stepwise.com has instructions for upgrading to 3.1

[dheeraj]

Apple hasn't responded as of yet (Thursday, early evening, EST), but Stepwise already has step-by-step build instructions for OpenSSH 3.1 for OS X. Pop over to this page on their site, follow the instructions, and you're good to go.

O BOB!!!

[Kirkoff]

For all the trouble we made in my computer science class in High School, that had to be the best thing to come out of it. The teacher decided that Off-by-one Errors were to be called OBOBs (think Oh Bob!) for Off By One Bug. I dunno, it just feels more personal... Maybe I should find something productive to do.

--Josh

is this even a real exploit?

[quinto2000]

I see no mention on my distribution's homepage or on the CERT advisory center's homepage.

I've never heard of PINE-CERT either. I smell something fishy.

Re:is this even a real exploit?

[slcdb]

I too was skeptical for these same reasons. Since then, however, I've looked at the patch, compared it to the affected source, and there is definitely a "one-off" bug here. How easy it would be to exploit -- I can't tell, but it looks like it would be fairly difficult.

Nevertheless I'm a bit disappointed that CERT doesn't have any information about this.

I'm VERY disappointed that the OpenSSH website has no information about this.

(OT) Spam list building in HTTP vs. FTP

[yerricde]

http://isp.example.com/~abrown/

This is hard to avoid, as is a dictionary attack against a domain's MX.

However, unlike anonymous FTP, HTTP doesn't require everybody who pulls a file to give a well-formed e-mail address in the password field. (Valid addresses are a proper subset of well-formed addresses.) In the early days of the web, building spam lists of this type was very common: a spammer building a list would put up a web page that contained an IMG tag that linked to a 1x1 pixel clear image on an FTP site, and spammers would just run a noddy awk script on the FTP logs to get candidate addresses that were somewhat likely to be valid. I've set my anonymous FTP password to anonymous_coward@slashdot.org, which I also use when installing RealPlayer.

Re:(OT) Spam list building in HTTP vs. FTP

I prefer to use hotline@mpaa.org, the MPAA's piracy reporting hotline. Maybe they get a bit more junk in their inbox...ah, well. Too bad.

Do not use SML

Okay, this is going to be a rant, because I really, really don't like SML/NJ.

The shell for SML/NJ that I used (unfortunately, at Carnegie Mellon, you end up taking entire classes in the utterly useless SML) was awful. I mean, there was no *readline* support. There are high schoolers who have written better Scheme environments. Oh, yes, and SML/NJ prints out the most useless error messages I've ever seen.

Ocaml is no better. I know an ML fan, and even he hates using the Ocaml compiler be of the completely inaccurate error reporting, usually tens of lines below where the syntax error occurred.

Finally, unless you're comfortable with writing non-trivial programs in Lisp or another functional language, you will hate SML. Everyone in our class went through the thing with distaste and promptly got back into C or Java or anything but a functional language as soon as they got out. Lisp is nice for my emacs config files, and I want it to stay there. Outside of that, functional languages can stay away.

Finally, SML has really really *really* insanely strong typing. To the point of not being useful, even. When I type an int in, I want the goddamn compiler to convert it to a float implicitly if it needs to. SML doesn't have the capability of doing anything like that. SML was designed by academics, for academics. It's cute for research, really neat if you're into programming language or compiler design because it allows doing optimization proofs easily, but utterly useless when it comes to writing real-world software.

The very few people that use ML for actual programming don't even consider SML. They use ocaml.

That said, if you're interested in programming language design, are a grad student or academic in the field, and don't mind awful error reporting, you'll probably be quite happy with this program.

For everyone else, the lines of code reduction that Tom7 was boasting about can be accomplished just as easily by using Java (which has *the* best set of built in libraries) or something else a bit more conventional.

But SSHD *is doing* bounds checking!

[Tom7]

Um...

Guess what? The SSHD is doing its own bounds checking already.

I think before you say stuff like this, you should check out the performance of a modern safe language that's compiled (not JIT or VM). I recommend O'Caml for starters. They are quite fast!

Re:But SSHD *is doing* bounds checking!

[3247]

Guess what? The SSHD is doing its own bounds checking already.

Yeah, and the hole is an error in doing it manually instead of leaving it to the compiler...

Re:But SSHD *is doing* bounds checking!

[Tom7]

Guess what? The SSHD is doing its own bounds checking already.

Yeah, and the hole is an error in doing it manually instead of leaving it to the compiler...

Exactly.

Advice from a frustrated sysadmin...

[doughmein_dot_net]

As an OpenBSD serveradmin running a number of co-located webservers, I can offer this advice:

Do not install OpenSSH 3.1 over OpenBSD 2.8 unless you desire intense pain, punishment, or peril.

I tried this, and immediately ran into error messages since my OpenSSL library was out of date. (OpenBSD 2.8 ships with OpenSSL 0.9.5a by default) Once I got a new version of OpenSSL built and installed, I tried to compile OpenSSH 3.1 again, but the end result would not allow password interactive logins for some odd reason. I spent a few hours working on this issue, which put some of my paying customers in a tough position as they were unable to access the server through SSH.

I finally gave up on the 3.1 release, and found the security patch for OpenSSH 3.0.2 issued by the kind folks at pine.nl (thank you!), which, when recompiled, worked flawlessly.

The only clue that I had as to the OpenSSL library version dependency was one short, obscure mail message on the openssl-unix-dev mailing list, at this URL:

http://marc.theaimsgroup.com/?l=openssh-unix-dev &m =101473993002531&w=2

This is another example of some of the frustrating aspects of OpenBSD and the way it is maintained. This OS is well-written in general, but the documentation and help text for server admins is quite lacking. Nowhere on the OpenSSH webpage was there any mention of a version incompatibility with OpenBSD 2.8's default OpenSSL installation. Nowhere on the OpenBSD pages is there a quick, easy, simple set of steps that one can take to update just one's local source tree to the current version of OpenSSL as approved by the OpenBSD team.

(Yes, I know there are man-pages for CVS. I don't care to take the time to learn the entire set of command-line options, and in situations like this, it is far more useful to get clear, simple and relevant instructions for how to fix the latest hole before some script kiddie beats me to the punch and "0wnz" my server.)

I would also caution Slashdot readers not to automatically assume that OpenBSD is "secure by default" just because the development team says so. Smart server administrators will quickly realize that a number of things need to be closed up after the default install. However, this is still *BY FAR* more secure than other OS's, which is why I will continue to run OpenBSD. For now.

Regards,
support at doughmein dot net

Upgrading your RH 6.2

[martial]

(lines preceeded by ">" are command prompt lines)

Get the latest source rpm for openssl (I used : openssl-0.9.6-3.src.rpm). It can be obtained from rpmfind.net
Get the latest source rpm for openssh (3.1p1 ;) )

as root, do :
> rpm --rebuilbd openssl-0.9.6-3.src.rpm
and let the system build

> cd /usr/src/redhat/RPMS/i386
> rpm -Uvh --nodeps openssl-*
the nodeps is because two files called
"/usr/lib/libcrypto.so.0" and "/usr/lib/libssl.so.0" (not owned by any
RPMs) need to be properly relinked.

In order to do so, please do :
> rm -f /usr/lib/libcrypto.so.0
> rm -f /usr/lib/libssl.so.0
> ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0
> ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0
note that until you do the next line, you can not use "ssh"
anymore (mismatch between the openssl version used by the previous
openssh installation). Now to upgrade to the latest version of openssh

> rpm -Uvh openssh-*
note that files called "/etc/ssh/ssh_config.rpmnew" as well as
"/etc/ssh/sshd_config.rpmnew" will be created. They are the default
configuration files and will not replace your modified configuration
files

Hope this helps ;)

Re:Upgrading your RH 6.2

[martial]

Of course I forgot to add that between :
> ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0
and
> rpm -Uvh openssh-*

you have to do :
> rpm --rebuild openssh-3.1p1.src.rpm
let it run
> cd /usr/src/redhat/RPMS/i386

(sorry)

Re:Upgrading your RH 6.2

[Siva]

i obtained openssl-0.9.6b-8.src.rpm from the redhat 7.2 SRPMS archive. in order to get around the stupid libcrypt.so.0/libssl.so.0 problem, i modified the spec file slightly. everything seemed to build and install correctly. here is a patch:

--- openssl.spec.orig Fri Mar 8 10:52:52 2002
+++ openssl.spec Fri Mar 8 13:14:03 2002
@@ -3,7 +3,7 @@
Summary: The OpenSSL toolkit.
Name: openssl
Version: 0.9.6b
-Release: 8
+Release: 8.1
Source: openssl-engine-%{version}-usa.tar.bz2
Source1: hobble-openssl
Source2: Makefile.certificate
@@ -30,6 +30,7 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildPreReq: perl, sed
Requires: mktemp
+Provides: libcrypto.so.0, libssl.so.0

%define solibbase %(echo %version | sed 's/[[:alpha:]]//g')

@@ -219,11 +220,21 @@
%attr(0644,root,root) %{_mandir}/man1*/*.pl*
%{_datadir}/ssl/misc/*.pl

-%post -p /sbin/ldconfig
+%post
+rm -f /usr/lib/libcrypto.so.0
+rm -f /usr/lib/libssl.so.0
+ln -s libcrypto.so.0.9.6b /lib/libcrypto.so.0
+ln -s libssl.so.0.9.6b /lib/libssl.so.0
+/sbin/ldconfig

-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig

%changelog
+* Fri Mar 8 2002 James Blanding 0.9.6b-8.1
+- Provide libcrypto.so.0 and libssl.so.0 for backwards compatability
+ with RedHat 6.2 openssl RPMs
+
* Fri Sep 7 2001 Nalin Dahyabhai 0.9.6b-8
- disable the RNG in the ubsec engine driver

source tarball signer's PGP key?

[davie]

I really like to verify signatures on packages and tarballs when available, especially for tools like SSH. I've looked all over the place (including a couple public key servers) and haven't been able to find the signer's public key. Any ideas where it might be hiding?

off-by-one ssh web browser?

[jugg]

http://www.offbyone.com/

Is it just me or is the release of this browser under the name "off by one" with openssh support seem a little fishy to anyone?

run with libsafe...

[runswithd6s]

Related, but not directly. To protect from "stack smashing" techniques (buffer overflows), run your glibc apps with libsafe. It should detect, stomp out (i.e. abort()) and email you about overflow and out-of-bounds conditions by simply adding its path to the /etc/ld.so.preload file.

But at least....

[gruntvald]

.... with OBSD you get to deal with that donut of delight, Theo. Of course, when I wanted to utilize OBSD in the enterprise, I couldn't - I was asked - "who is the support team" - and I had to post a sample from the obsd-misc mailing list. Ah well, you can't say I didn't try.

Do you audit your copy of the source code as well?

[Walles]

Unless you audit the version of the source code you have just downloaded, how is this better than installing binaries?

Surely, what the source says must be a lot more important than who compiled it?

//Johan

if you liked that one...

[pinkUZI]

I have plenty more. How about:

Semi Secure Shell

GNU lsh

This might be a time to look at the GNU replacement for SSH, lsh. It is completely 100% protocol compatible but a separate implementation so the configuration looks somewhat different. OpenSSH has a history of being somewhat a hack for a very old and broken version of the commercial SSH. lsh has a cleaner design.

Re:ugh qmail

[thing12]

I used qmail for a couple years after prying myself away from sendmail because I wanted maildir. I love maildir - when you have mbox files that are over a gig, you'll love maildir too - but it's the only part of qmail that's worth a damn. Honestly, qmail is the most complicated software product I've ever worked with. There's no centralized configuration, it uses environment variables and 'list files' - meaning that rather than a section in a config file, qmail has a directory with multiple files inside it, each file has an attribute or a list of attributes. Sure it makes writing shell scripts to manage everything a little easier -- but you *have* to write the shell scripts, because there's way too much to remember if you don't. Administering qmail is no better than administering sendmail.

My MTA of choice these days is Courier, it's written by Sam Varshavchik (aka Mr. Sam) who at one point seemed to be a disciple of DJB, having written gobs of other software that goes with qmail maildirs. Courier is a complete mail server, not just a sendmail replacement. Built in POP3/IMAP both supporting SSL/TLS. Web and/or standard config file based administration. Supports LDAP, PgSQL, and MySQL for authentication. Mail Filtering, List management, and even a webmail server. Even group calendaring. Who needs anything else? It's all integrated so there's no obscure set of howto's to search for when you want to get an imap server or an LDAP authentication service running. Oh and it's GPL'd... something you can't even begin to say about DJB's bizzare pseudo-opensource license. It's had a quarter of a million downloads off SourceForge, that's gotta say something.

Re:Sigh..

[73]

>I said nothing about them being remotely exploitable.

Then, do you have a point?

Re:Sigh..

[slpalmer]

>I said nothing about them being remotely exploitable.
Then, do you have a point?

Yes, I do.
The point was someone (http://slashdot.org/comments.pl?sid=29123&thresho ld=1&commentsort=3&tid=128&mode=nested&cid=3124953 ) had stated that telnetd, named, and sendmail were not in the default install of OpenBSD. I corrected that statement by saying that they were in fact in the default install. Neither of us said anything about whether or not they were remotely exploitable.

Stephen L. Palmer

Put ssh in jail?

[Shanep]

Does OpenBSD support FreeBSD's jail feature?

Could ssh be run in jail to minimize an exploit?