Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Local Root Hole

Posted by michael on from the say-it-ain't-so dept.

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

14 of 490 comments (clear)

  1. There goes OpenBSDs slogan... by psychofox · · Score: 1, Funny
    I take it that their slogan "Four years without a remote hole in the default install!" will not being changed to "Five years without a remote hole in the default install!" then?

    Shame...

    1. Re:There goes OpenBSDs slogan... by Chundra · · Score: 4, Funny

      Ummmm, RTFP!

      They aren't ruling out the possibility of a remote exploit.

    2. Re:There goes OpenBSDs slogan... by Chundra · · Score: 2, Funny

      Everyone knows that to iterative over an array of n elements, you do this: for(i = 0; i arraySize) { error(); } else { ... }

      Reeeeeeeeeeally? In what language?

      How can someone like you have the nerve to criticize the OpenSSH guys?! Missing '<' and '>' in such a critical spot! Jeez! It might be a common error to make, but I would think people trying to illustrate the incompetance of a talented security software coder making a minor mistake would constantly be thinking to themselves about the consequences of these kinds of trivial syntactic errors. It's also a real bonehead mistake. Everyone knows that you use & lt ; and & gt ; in HTML to get the '<' and '>' symbols. I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I use '<' or '>' to illustrate how stupid someone else is (when they're trying to illustrate how stupid someone else is) I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece like this. How completely, and totally embarrassing for you, Briosa.

  2. I can't wait for djbssh by Russ+Nelson · · Score: 5, Funny

    I can't wait for the Daniel J. Bernstein version of ssh.
    -russ

    --
    Don't piss off The Angry Economist
    1. Re:I can't wait for djbssh by Anonymous Coward · · Score: 5, Funny

      you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

    2. Re:I can't wait for djbssh by biot · · Score: 4, Funny

      It would be incompatible with the rest of the world's ssh implementations, of course, but I guess he'd write a DJB-RFC to take care of that.

  3. Re:Full disclosure = annoying. by Sarin · · Score: 5, Funny

    Nah they don't.;) But I'm working on exploit code as we speak.

  4. Yay! by Anonymous Coward · · Score: 1, Funny

    2002-03-07 11:39:40 Server version: SSH-2.0-OpenSSH_3.0.2p1

    Good night everybody!

  5. Re:smallest possible patch by ghjm · · Score: 3, Funny

    When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that C is the right language to do coding in?

  6. There are some reasons to use C for a project by MrFredBloggs · · Score: 2, Funny

    Phew! Thought i`d wasted the last 5 years of my professional life using the wrong language!

  7. Visual Basic by wiredog · · Score: 5, Funny

    Has all the features any Modern Programmer could want. And it has the Highly Secure .net framework built in. What more could you want?

    --

    Best Slashdot Co
  8. Re:Commercial SSH by Anonymous Coward · · Score: 1, Funny

    No
    Professional software engineers wouldn't make such mistakes.

  9. Re:OpenSSH site already updated? by BlowCat · · Score: 5, Funny
    Good thing that it's not a remote root exploit. Otherwise www.openbsd.org would now read:

    Four days without a remote hole in the default install!

    Not sure if OpenSSH is enabled by default though.

  10. OpenSSH? by Anonymous Coward · · Score: 2, Funny

    When they said OpenSSH I didn't think they were so serious...