Slashdot Mirror
OpenSSH Local Root Hole
maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."
Yay!
Now we get another bunch of worms scanning the whole net for vulnerable boxes so they can make DDoS nets!
Thank god for full disclosure!
*gags*
Vince.
I need a sig.
and has been stated several times already, this SAME error can occur in any language, with the same effect.
grow up. there are millions of lines of C, and they aren't going to go away just because you don't "like" the one language that allows a programmer to do just about anythign with their computers.
I'll say this: the average CS student that I've had to deal with lately doesn't comprehend even the -BASICS- of memory management (Java does that for me...)
Fuck off, and learn how to fucking program CORRECTLY, then use a language that lets you be lasy.
Cocksucking assholes.
It's also a real bonehead mistake. Everyone knows that to iterative over an array of n elements, you do this:
for(i = 0; i < n; i++) { ...
}
And everyone should also know that the array indices for an array with n elements range from 0 to n - 1. The actual mistake was something like this:
if(idx < 0 || idx > arraySize) { error(); } else { ... }
I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I loop over arrays I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece of security software. How completely embarrassing.
This entire thread has absolutely made me sick. It reminds of the folks who cry that an OS should be written in a BASIC dialect or in Java (or even C++ for that matter).
High Level languages (it's silly to refer to them as "modern languages") all suffer from one fundamental problem. They do not allow sufficent control over program behavior to make the kind of assurances that high-performance applications need to make. OpenSSH rocks and it could not be rewritten in Java or some other silly language.
These languages are good for simple programs or assembly line programs where performance is not really an issue. Java and other interpretted languages require huge memory overheads and are only as stable as the underlying VM.
Do not kid yourself that Java isn't exploitable. Especially with the J2EE package that encourages network transparency. Anytime you communicate over a network you undertake considerable risk.
BTW: This who is very unlikely to be a rootable exploit. Off-by-one errors will likely cause only a SEGV or perhaps undefined behaviors. It is not like buffer overflows as it is not easy to insert arbitary code.
Remember too that OpenSSH is open source whereas the Java Runtime library isn't. Give me a week with the source to Java and I guarentee I can find you a bunch of remote exploits. Open Source software often gets held to much higher standards than traditional software simply because there is no way to cover up all the little holes.
And you may think your an expert since you wrote an FTPD but is it as capable as wu-ftpd? Just because you can serve a file as quickly doesn't mean that it comes anywhere close to handling all the features that wu-ftpd. Sit down and try to write tens of thousands of lines in a so-called "modern language" and you'll be back to C.
int func(int a);
func((b += 3, b));