Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Local Root Hole

Posted by michael on from the say-it-ain't-so dept.

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

4 of 490 comments (clear)

  1. Re:Please stop writing network apps in C! by MartinG · · Score: 5, Insightful

    How did it cope with 18,000 simultaneous connections? Did you use mmap(), sendfile() and friends on linux to get the best performance possible? How did the xfer rates compare?

    BTW, 24,000 lines is a hell of a lot. If you want to compare like for like, have a look at vsftpd by Chris Evans. It's written entirely in c. Have a read of the source - it's quite interesting how it has been done. I would be surprised if you could find a buffer overflow.

    I actually do agree with your points mostly, but I would say "Don't use c for network apps unless you have a good reason to" and also "don't use c for network apps unless you _really_ know the hazards"

    In some ways SSH is a special case anyway. It has all the intensive maths stuff to do for the session key generation etc. Not a good idea to code that in (eg.) perl imo.

    BTW, out of interest, what is your "favorite modern language" ??

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  2. Re:Please stop writing network apps in C! by coyul · · Score: 5, Insightful

    Did you even look at the patch?

    --- channels_old.c Mon Mar 4 02:07:06 2002
    +++ channels.c Mon Mar 4 02:07:16 2002
    @@ -151,7 +151,7 @@
    channel_lookup(int id)
    {
    Channel *c;
    - if (id < 0 || id > channels_alloc) {
    + if (id < 0 || id >= channels_alloc) {
    log("channel_lookup: %d: bad id", id);
    return NULL;
    }

    You want to explain to me how any "modern safe language" is going to stop me from saying 'greater-than', when I really mean 'greater-than-or-equal-to'?

  3. Isn't this a bit dodgey? by SomethingOrOther · · Score: 5, Insightful

    Errrrrm
    Isn't it a bit dogey just grabbing and installing a binary (rpm) from an untrusted source (ie you) for security software like SSH ?

    I'll get my source code from a reputable mirror and compile it myself thanks.

    --
    Anyone quoted by a reporter knows how little they understand
    Don't believe what you read is the truth.
  4. Exploiting scenario by pmf · · Score: 5, Insightful

    After analysis, I can say, that this vulnerability is 4 bytes heap overflow, VERY hard to exploit. Problably only Linux will be affected, because Doug Lea's malloc() depends on control structures located just after malloced buffer.