New ssh Exploit in the Wild

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

Uh oh

Best patch and upgr..&*[NO CARRIER]

deceit

[Tirel]

Only one remote hole in the default install, in more than 7 years!

Oops!

Given that the default install has ssh turned on, will they change it to "two remote holes" ?

How much do you want to bet they'll just sweep it under the carpet and hope people forget? If you follow misc@ carefully you have probably seen it done before. Lets make some noise and force Theo to finally update that!

Re:deceit

[Basje]

It doesn't say in the last x years. But I do agree with you that it's misleading.

Re:deceit

[The+Ogre]

Given that this bug appears to be *unexploitable* in OpenBSD, no, I suspect they will *not* change that claim. The hole is only an issue if you you're running OpenSSH on a slightly less secure OS, apparently. Huh, whooda thunk it?

Re:deceit

[Overly+Critical+Guy]

Follow my sig and you'll be alerted to all the holes and vulnerabilities in Linux and its apps.

Re:deceit

[Tirel]

Is it? I've successfully exploited my sshd (thank God for easy filtering with PF!)

# dmesg | head -n2
OpenBSD 3.4-current (GENERIC) #62: Tue Sep 12 22:49:18 MDT 2003
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/co mpile/GENERIC

Re:deceit

[agby]

They changed it from 0 to 1 when the last SSH vuln was disclosed. I see no reason that thye wouldn't do it this time. However, it's not afflicting OperBSD anyways...

And as comparison, how many patches do windows users normally need to install over the 'default install' to get it secure and close every hole in the default setup? Methinks slightly more than 1 or 2...

Re:deceit

[danormsby]

Ssh, don't tell anyone.

Re:deceit

[Bull999999]

When did they start putting mySQL in the Linux kernel?

Re:deceit

What part of "apps" didn't you understand?

Re:deceit

There are holes and vulnerabilites in all software. Nobody argues that. But in 5 years of using Linux, I've never had to deal with anything on the scale of Blaster, SoBig, Code Red etc. etc. etc.

Get some perspective, and get that chip off your shoulder. You sound like a mardy child. Putting tantrumish links in your sig? Get a life...

Re:deceit

[Bull999999]

So you are saying that mysql is a Linux "app" even though it runs on Linux, BSD, UNIX, and Windows?

Re:deceit

Liar? And if not 3.4 stills beta (read for non production environments)

Re:deceit

[phliar]

This is a bug, not an exploit. There is no known exploit of this bug on OpenBSD. The message on the [Full-Disclosure] list only describes a Denial of Service attack -- flooding the target machines with connections is not ssh's problem.

Besides, what have they "swept under the carpet"? What do you mean "you have probably"?Just because you seem to have something personal with Theo going on, we're supposed to take your word for this "deceit"?

Re:deceit

Amazing how a newsworthy point about a ssh bug becomes an attack on an entire operating system and/or person.

"Given that the default install has ssh turned on, will they change it to "two remote holes" ?"

Yes, if they confirm the exploit. They've changed this notice in the past. It went from 0 to 1.

"Lets make some noise and force Theo to finally update that!"

Why? Just to piss off the developers? The openssh code is open and subject to review by anyone.

I think since you didn't catch this bug, we should all be asses and target you for harrassment.

"If you follow misc@ carefully you have probably seen it done before."

Bullshit. If you follow misc@, most of the exploits discussed hit previous unpatched versions of OpenBSD. The point of OBSD is to catch bugs and bad code ahead of time; it undergoes near constant review.

A lot of folks want OBSD to add to this count stuff OBSD noticed may have been exploitable, then patched it anyways, frequently weeks or months or years ahead of a known exploit. When the known exploit comes out, they point to the OBSD version 6 months ago.

Exploits are counted that can violate current, stable systems, not OBSD 2.8.

This is like blaming MS for the exploit that allowed slammer to spread; if people patched their systems when they were supposed to, they wouldn't have been inconvenienced. OTOH, MS should have caught the bug ahead of time.

I feel OBSD falls into the latter category, not the former. They are more than likely ahead of the game. Given what I've seen of security reports on Linux and FreeBSD over the past 2 years, OBSD tends to play catchup in coming up with fixes. Rather, they tend to fight the tide that their "policy" in reporting exploits is wrong.

Oddly, I think that is more a testament to them doing things right as opposed to your attitude that they are being purposefully deceitful.

Re:deceit

So you are saying that mysql is a Linux "app" even though it runs on Linux, BSD, UNIX, and Windows?

The definition of a "Linux app" is an application that runs on linux, so yes.

Re:deceit

[JAgostoni]

I would say there is a difference between a "Linux App" and an app the runs on Linux. That being that the former is inteded to "brand" that app with Linux with the hope of associating the apps success or failures with Linux. The later, perhaps, not banking on that association.

Re:deceit

Is it? I've successfully exploited my sshd (thank God for easy filtering with PF!)

# dmesg | head -n2
OpenBSD 3.4-current (GENERIC) #62: Tue Sep 12 22:49:18 MDT 2003
deraadt@i386.openbsd.org:/usr/src/sys/arch/i 386/co mpile/GENERIC

Lets see some exploit code then monkey.

Re:deceit

[Bull999999]

Since you can run Linux on top of Windows, that'll make all Linux "apps" Windows apps, too?

Re:deceit

I tried exploiting my sshd, and it failed repeatedly. I'm even running Gentoo...
...with grsec.
One of these days grsec will fail me, and then my priv-sep'ed chroot jail will be at the mercy of a script kiddie. ;)

Re:deceit

[AKnightCowboy]

How much do you want to bet they'll just sweep it under the carpet and hope people forget? If you follow misc@ carefully you have probably seen it done before. Lets make some noise and force Theo to finally update that!

Well this is a striking blow against the open source movement IMHO. One OpenSSH exploit is devasting, two OpenSSH exploits makes me want to consider going back to F-Secure SSHD. Very very sad situation when the source code is available for all to see and exploit.

Re:deceit

[mkldev]

Having read the FreeBSD info on this bug, it looks like it isn't possible to exploit it, period.

OpenSSH refuses to allocate a buffer over a certain size, but doesn't set the buffer size value back to its previous value. When this occurs, OpenSSH immediately calls fatal() to clean up and exit. The connection is closed, and the buffer is not reused.

The problem is that the cleanup code will, in some cases, attempt to zero the block at the larger size, resulting in OpenSSH crashing.

Because no data other than zeroes is every written to this buffer after the failed allocation (unless the FreeBSD folks missed something), this bug cannot be exploited except as a denial-of-service attack unless combined with some other exploit that allowed you to overwrite the exception handling vectors and add arbitrary code (in which case, there are probably much easier ways to perform the exploit).

Re:deceit

[saskwach]

Oh come on. That said 0 remote holes in whatever until the first ssh hole came out. I'm sure they'll update their web site when they get around to it, it's been a long day. Seriously, this group of people has amazing integrity and make arguably the most secure os capable of opening a tcp connection. It's not like any distro of linux can claim exactly "two remote holes" in as long as they've existed. Microsoft certainly can't. Why is this not modded as flamebait?

Re:deceit

[HidingMyName]

Given the amount of effort that people expend on trying to break systems these days, Theo's record is quite good. It is really unfair to characterize Theo and the OpenBSD community as a bunch of stonewalling liars who won't disclose vulnerabilities and fix them. On the contrary they are exceptionally thorough and proactive in their approach to reliability and security. The last time such an exploit was found they did not hesitate to update the page.

Perhaps you'd like to disclose which O/S you run and tell us how many vulnerabilities it has had over a similar time frame?

Re:deceit

[uberdood]

The truly sad thing is some IDIOT MODERATOR modded you up for spreading quite false FUD.

Theo doesn't sweep security under the carpet. He's quite open about the bugs. Which you would know if you actually read misc@.

And this crap about "probably seen it done before"? Please link to an example in the readily available OpenBSD misc@ archives. Oh? What's that? You say the archives have been edited? Are the black silent helicopters following you around everywhere too?

Re:deceit

[rifter]

I would say there is a difference between a "Linux App" and an app the runs on Linux. That being that the former is inteded to "brand" that app with Linux with the hope of associating the apps success or failures with Linux. The later, perhaps, not banking on that association.

By that definition, MySQL would qualify as a LInux app. After all it is what Slashdot uses, eh?

Re:deceit

[rifter]

This is like blaming MS for the exploit that allowed slammer to spread; if people patched their systems when they were supposed to, they wouldn't have been inconvenienced. OTOH, MS should have caught the bug ahead of time.

No, it is not. The full statement is "x remote root exploits in the default install in y years." In order for X to be incremented, an exploit has to be available for the currently shipping version of OpenBSD. This supposedly happened once and it was updated. If this exploit were affecting the currently shipping OpenBSD, and were a remote root exploit, it would be fair to update it.

It is possible that the sshd on OpenBSD 3.3, being version 2.6, is exploitable, but if it were no one has proven it. No one has come up with a root exploit based on this ssh flaw either, on ANY platform. It is likely that this flaw is fixed on OpenBSD3.3 but I would update just the same.

Nevertheless, until this flaw yields a remote root exploit and is proven to work on sshd as run on OpenBSD 3.3 Theo would be correct in not changing the statement. After all why lie?

Re:deceit

uh oh, you called michael an idiot.. is that angry farting noises i hear in the background?

Hooray!

[TheQuantumShift]

New manifestations of Job Security for us techs!

Re:Hooray!

Gee, you're just like the MCSEs who have had job security for years by the same method. I guess Linux has reached the big time.

Re:Hooray!

[packeteer]

As much as a security tech doesn't want to see vulnerabilities happen they cant be totally against the fact that they exist. Its similar to how border guards dont want to see drugs in the country but without the drugs coming in they lose a job. I dont think either drugs or computer vulnerabilities are ever going to stop so why dont we just all work against these problems.

See this comment for BSD patch and info

[setzman]

http://slashdot.org/comments.pl?sid=78698&cid=6974 742

Re:See this comment for BSD patch and info

[ChiefArcher]

I just made RH9/8/7.3 RPMS
since RH hasn't released any yet...
it's backported from the 9.0 update ssh SRPM.

my bandwidth is VERY limited... so AIM ME at "Swell500" and i'll send ya a link to grab them until RH releases official patches.

ChiefArcher

Re:See this comment for BSD patch and info

[Kingpin]

Your intentions are probably noble, but why should I trust you? Would you trust "you"?

Re:See this comment for BSD patch and info

[NateTech]

Yeah right... we're all going to install binaries from some jackass we only have an AIM account for.

What are you, new?

Re: See this comment for BSD patch and info

[Black+Parrot]

> I just made RH9/8/7.3 RPMS since RH hasn't released any yet...

You can get RH9 RPMs from a mirror at http://www.openssh.com/portable.html, and presumably kits for other non-BSD systems as well. They don't have RPMs for older RH out (at least not on the mirror I looked at), but they do have the SRPMs if you want to build your own.

Re:See this comment for BSD patch and info

[corz]

This is going to probably cost me a lot of money in bandwidth charges... but what the hell.

I've packaged up rpm's (minus the x11-askpass stuff) for Red Hat 7.2 and 7.3. You can download the packages at http://projects.standblue.net/rpms/openssh/3.7p1/

Re:See this comment for BSD patch and info

[1010011010]

Here's a (T1-hosted, be nice) mirror of his packages: http://www.flyingbuttmonkeys.com/ssh/

Please take only the package you need.

Re:See this comment for BSD patch and info

[PinkFluid]

The buffer->alloc field is not accessed in xrealloc() or in fatal() so I don't see how this patch fixes anything? Either this is not the correct fix or the bug is vapour. I still have to find evidence of an exploit or at least some reference to where the affected code could be... or maybe I'm just missing something - can somebody with more low-level ssh knowledge enlighten me?

Re:See this comment for BSD patch and info

[jerryasher]

In patching my systems this morning, and upon reading the sketchy details of the exploit, I am moderately surprised to find that openssh has no method for throttling and shutting down repeated failing attempts for connection.

There is a MaxStartups parameter that sets the number of concurrent ssh sessions, but nothing that says anything like, only allow 3 unsuccessful connections per IP per hour, after an unsuccessful connection delay an open on that IP for 30 seconds, and stuff like that.

What are the best tools on a modern linux distribution to create such a facility?

Re:See this comment for BSD patch and info

Whoa there!!!

Would someone please post the MD5 sum for openssh-3.7p1.tar.gz?

None of these mirrors are worth the time if we can't authenticate what we're downloading somehow ...

Re:See this comment for BSD patch and info

Wow... so much bitter ingratitude. I was going to tell you about this Nigerian millionaire who wants to give you his money... but with that kind of attitude, I'm keeping it all!

Re:See this comment for BSD patch and info

[jmo_jon]

Red Hat has released an upgrade here

Re:See this comment for BSD patch and info

[Jahf]

don't you automatically trust flyingbuttmonkeys.com?

Re:See this comment for BSD patch and info

[hysma]

Just got my RHN update letting me down I can download the fix. Looks like any other subscribers can automatically patch up their systems, and those non-subscribers can enjoy try their best at RH's FTP servers. While you beat RH for a few hours, looks like they caught up :)

Re:See this comment for BSD patch and info

[Grayraven]

I think the iptables limit module could do this. See the HOWTO.

Re:See this comment for BSD patch and info

What are the best tools on a modern linux distribution to create such a facility?

Try iptables.

You can limit connection rates, etc. (and the firewall is the right place to do that sort of stuff)

Re:See this comment for BSD patch and info

[MonkeyBoy]

Of course! If you can't trust monkeys, who can you trust?

Re:See this comment for BSD patch and info

So what? There are RPMS on the OpenSSH mirror sites released by the portable OpenSSH developers and signed with the same key as the release. Why should we use yours?

Re:See this comment for BSD patch and info

[jmorris42]

Damned straight I do. I remember them getting a C&D from Digital Convergence over the CueCat: fiasco. Sounds like good enough hacker ethics for me. But I just d/led the SRPM via RHN. I'm payin' em for the bandwidth might as well use it.

Re:See this comment for BSD patch and info

[1010011010]

Heh. Thanks for the vote of confidence. :)

Only 12 downloads of openssh packages, so far.

Re:See this comment for BSD patch and info

[corz]

I've updated the site for the 3.7.1 update:

http://projects.standblue.net/rpms/openssh/3.7p1 /

Poor Theo....

[djhankb]

at least it's out in the open...

-H

interesting comment on how to stop it...

[garcia]

"upgrade" to GNU lsh or block SSH from everyone except known hosts (the VPN option does basically the same thing).

Re:interesting comment on how to stop it...

[jsprat]

Before anyone "upgrades" to lsh, here's the README:

This directory contains snapshots of lsh development. lsh is a free
implementation of the ssh protocol.

lsh is far from finished; don't expect these snapshots to compile or
work, and even if they appear to work, beware that lsh currently does
*NOT* provide any security at all.

Re:interesting comment on how to stop it...

[shokk]

Thanks for the warning. I'll install right now since that sounds completely secure and stable. And I'm sure lsh doesn't come with its own set of problems to be exploited in the future.

OpenSSH has been very good to me, so I'm just going to patch it all up to 3.7pl1 and move on, just like I do with MS stuff and any other software made by us slightly evolved apes. I don't need to go and load some buggier crap on my network and learn how to apply bandaids over a new system just because it is the spotlighted darling of the moment for GNU.

Don't forget that compiling your own OpenSSH ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable /openssh-3.7p1.tar.gz needs the updated OpenSSL http://www.openssl.org/source/openssl-0.9.7b.tar.g z

Re:interesting comment on how to stop it...

[andreas]

This is the README from 1998, talking about a beta version of lsh. Don't let age-old doumentation fool you.

lsh has grown mature since then, and has an excellent code quality. I recommend it. Any day over OpenSSH, after having looked at the code of both projects. Up-to-date documentation, as on the web page, or the README inside the tarball, doesn't contain the warning.

Re:interesting comment on how to stop it...

[JoeBuck]

The suggestion to "upgrade" to lsh is stupid. This bug is only public knowledge because the OpenSSH people have already fixed it.

Re:interesting comment on how to stop it...

[Phaid]

Don't forget that compiling your own OpenSSH eeds the updated OpenSSL

Nope. You only need openssl-0.9.6 or later. See the INSTALL doc in the openssh 3.7p1 source.

Re:interesting comment on how to stop it...

[jsprat]

This is the README from 1998

Thanks andreas. I didn't notice the date - it is an old README.

I found it here, in the same directory as the current version of lsh, and assumed it was still valid. I'm sure I won't be the only one. Someone affiliated with lsh needs to remove it - or better, replace it with a current readme.

Re:interesting comment on how to stop it...

So you want us to trust a tool when the
developers don't bother to update the
WRONG and outdated documentation?

This isn't some cute gnome utility that
makes penguins dance on your X11 client.

This is a security program. How much
confidence do you have in a tool where the
docs are allowed to slide?

Re:interesting comment on how to stop it...

[lspd]

This bug is only public knowledge because the OpenSSH people have already fixed it.

And it's only a problem because they didn't tell anyone else. There are too many people looking at SSH for holes to try and slip a security fix into a new version without mentioning it and backporting the fix. Maybee they didn't appreciate that it was an exploitable bug. Maybee this whole topic is hype and there is no exploit. Assuming they new it was an exploitable bug, they should have coordinated a fix before releasing a patched version. A local root exploit in Galeon, Grip, etc...upsetting but no use losing sleep over it. A remote root exploit in SSH, Apache, xinetd, etc...get is fixed ASAP and don't hide the problem.

Re:interesting comment on how to stop it...

[Syberghost]

Are we talking about the same lsh? The one that doesn't do X forwarding in the server?

That's a real step forward in security; make everybody go back to opening up X to TCP. Time to dust off xkey.c I guess...

Re:interesting comment on how to stop it...

[andreas]

Are we talking about the same lsh? The one that doesn't do X forwarding in the server?

No, we're talking about the lsh that does do X forwarding. And port forwarding. You can even tell it to just open a connection and not spawn a shell, in case you need just the port forwarding.

Re:interesting comment on how to stop it...

[mkldev]

In fairness, a README in an ftp directory is not inherently tied to the README in the distribution, and it's awfully easy to forget that the former is there. Just because it isn't documented very well in a file thrown into the ftp tree doesn't mean it isn't documented well.

Re:interesting comment on how to stop it...

[Syberghost]

No, we're talking about the lsh that does do X forwarding. And port forwarding. You can even tell it to just open a connection and not spawn a shell, in case you need just the port forwarding.

You're talking about the client. You're responding to a post about the server.

From the web page for the project:

"Convenient tunneling of X was one of the most impressive features of the original ssh programs. The current version of lsh implements X-forwarding, although the lshd server doesn't provide that service yet."

How did you get modded up for that?

Re:interesting comment on how to stop it...

[shokk]

My install complained about header and library mismatches. Since I had to do it, I'm just reminding folks to do contrib/findssl.sh in their openssh distribution to make sure that things are what they seem if they run into this problem. It's a good quick troubleshoot. From my install, it looks like I have a lot of stuff laying around that should no longer be there, but which the previous version unfortunately relies on. Time to mess with LD_LIBRARY_PATH and friends.

chewbacca:/home/src/openssh-3.7p1# contrib/findssl.sh
Searching for OpenSSL header files.
which: no locate in (/usr/local/src/mh/bin:/usr/local/sbin:/sbin:/usr/ sbin:/bin: /usr/bin:/usr/local/bin:/usr/X11R6/bin:/opt/bin:/o pt/teTeX/bin:/opt/kde2/bin:/op
t/redmondlinux/bin :/usr/local/samba/bin:/usr/local /rrdtool-1.0.39/bin)
0x0090700fL /home/src/openssl-0.9.7/crypto/opensslv.h
0x00907 00fL /home/src/openssl-0.9.7/include/openssl/opensslv.h
0x0090702fL /home/src/openssl-0.9.7b/crypto/opensslv.h
0x0090 702fL /home/src/openssl-0.9.7b/include/openssl/opensslv. h
0x0090702fL /usr/local/ssl/include/openssl/opensslv.h
0x00906 00fL /usr/include/openssl/opensslv.h

Searching for OpenSSL shared library files.
which: no locate in (/usr/local/src/mh/bin:/usr/local/sbin:/sbin:/usr/ sbin:/bin: /usr/bin:/usr/local/bin:/usr/X11R6/bin:/opt/bin:/o pt/teTeX/bin:/opt/kde2/bin:/op
t/redmondlinux/bin :/usr/local/samba/bin:/usr/local /rrdtool-1.0.39/bin)
0x0090702fL /home/src/openssl-0.9.7b/libcrypto.so.0.9.7
0x009 0702fL /home/src/openssl-0.9.7b/libcrypto.so.0
0x0090702 fL /home/src/openssl-0.9.7b/libcrypto.so
0x0090605fL /usr/local/ssl/lib/libcrypto.so.0.9.6
0x0090702fL /usr/local/ssl/lib/libcrypto.so.0
0x0090702fL /usr/local/ssl/lib/libcrypto.so
0x0090702fL /usr/local/ssl/lib/libcrypto.so.0.9.7
0x0090600fL /usr/lib/libcrypto.so.0
0x0090600fL /usr/lib/libcrypto.so.0.9.6
0x0090600fL /usr/lib/libcrypto.so

Searching for OpenSSL static library files.
which: no locate in (/usr/local/src/mh/bin:/usr/local/sbin:/sbin:/usr/ sbin:/bin: /usr/bin:/usr/local/bin:/usr/X11R6/bin:/opt/bin:/o pt/teTeX/bin:/opt/kde2/bin:/op
t/redmondlinux/bin :/usr/local/samba/bin:/usr/local /rrdtool-1.0.39/bin)
0x0090700fL /home/src/openssl-0.9.7/libcrypto.a
0x0090702fL /home/src/openssl-0.9.7b/libcrypto.a
0x0090702fL /usr/local/ssl/lib/libcrypto.a
0x0090600fL /usr/lib/libcrypto.a
chewbacca:/home/src/openssh- 3.7p1#

Questions.

[grub]

I have to wonder if UsePrivilegeSeparation was enabled. (see the manpage)

One message in the thread indicates it is but this isn't first-hand knowledge. If PrivSep was enabled then is OpenBSD immune to this attack due to other parts of the OS being hardened (much like the zlib hole a few months back)? Also are these default installations or are they "tweaked"? As an aside, PermitRootLogin defaults to enabled, something I always disable as I have no need for it.

Even if this does count as a new remote hole in OpenBSD, it's still a phenomenal track record they can be proud of.

Re:Questions.

[Tirel]

PermitRootLogin is enabled so you can login after a remote install, but the install guide tells you disabling it is one of the first thing you should do after you successfully boot and make a normal user account.

Re:Questions.

[Krach42]

Yeah, phenomenal track record. Unless you're me. I've run Windows, Linux, and OpenBSD. Besides the usual Spyware, etc, my Windows box has never been exploited. My linux has never been exploitet.

My OpenBSD box? *sigh* I got bitten by the LAST ssh bug... which is why I'm so desperate to fix THIS one.

I will point out to people that this message "only one remote exploit in 7 years" said that before the last ssh bug. But then, I wasn't exploited until after they released 3.3, so you can possibly blame it no not upgrading.

Re:Questions.

[bconway]

If you read the thread linked to in the story, you'll find that PrivSep was enabled.

Re:Questions.

[Just+Some+Guy]

my Windows box has never been exploited. My linux has never been exploitet.

Out of curiosity, how do you know this? How certain are you that you Windows and Linux machines aren't running rootkits as we speak?

This exploit is awful, sure, but at least we know about it and can fix it.

Re:Questions.

[ndogg]

Good.

That means that Debian's default configuration for sshd is also secure.

Re:Questions.

[KrispyKringle]

Erm, if you'd bothered to read the advisory, you'd realize that UsePriveledgeSeperation is no fix. However, both OpenBSD and FreeBSD feel that this could only lead to a server crash, not a remote exploit. Regardless, their track record is NOT still standing. See OpenBSD Errata.

It should be noted that RedHat does believe this is remotely exploitable, including remote code execution. So Linux boxes are quite possibly far more vulnerable than BSD boxes, but in either case, its a risk either way. I'm finishing up my fifth and sixth upgrades.

Re:Questions.

[Krach42]

When I was cracked, I thoroughly went through my systems looking for anything that could possibly be a rootkit.

Now, granted, it's entirely POSSIBLE that they were cracked, but they usually sit behind my firewall, and the hacker... sorry, cracker, cracked into the firewall. Since he was using it as an IRC bounce, it's highly unlikely that he bothered to go deeper into my systems.

I'll perhaps correct this up to "As far as I know, neither has been exploited"

Actually, the first thing that tipped me off to something weird going on, was that I couldn't change my /etc/pf.conf file, even as root, and even with a :w! Which really hit me as odd, especially since the file had been changed to make the computer fully open, rather than closed except for SSH and HTTP(S).

Later, a person posted to my personal webpage that he was being DoS'ed from my computer in IRC. That made me check it out, and my good friend, a soon-to-be-certified security expert friend, and he found the root kit.

CRAP!

[code+shady]

Looks like its time to turn the port forwarding on my router off, and wait for apple to provide a patch.
The advisory itself says The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH. So i'm going to assume that OS X is affected as well.

Re:CRAP!

Well, one post says

"The attack makes an enormous amount of ssh connections and attempts various offsets until it finds one that works permitting root login."

So even if the root hole cannot be exploited with priv. sep, you still have to worry about all those SSH connections eating up your resources.

Re:CRAP!

[loginx]

But the flood is not the SSH bug itself, the fact that you can flood a box running SSH is not a design flaw of SSH in any way.
You can flood any service and eat resources... no matter what service is running.
I think if you can just configure SSH or port-sentry to simply allow 3 attempts from the same IP address or even network block, it's not a fix but a good workaround as it will definitely help you secure your ssh-based system.

Re:CRAP!

Yes of course, but the point is that floods of SSH connections are going to be more likely due to people attempting to exploit this bug. Even if you're not vulnerable, they'll still try to exploit it.

Re:CRAP!

[loginx]

I agree with you on that one.
However, there's not much that can be done except set up decent firewall rules.

Re:CRAP!

Looks like its time to turn the port forwarding on my router off, and wait for apple to provide a patch.

Why don't you just allow only trusted hosts? My home machine only allows SSH from my work machine. Of course I understand in some situations you can't really do this, but if you're going to go as far as disabling SSH, a simple firewall rule is a better idea.

Re:CRAP!

[tyvek]

Along those same lines I wonder if some basic limit matching for ssh in iptables would do the trick for a workaround till this gets sorted out.

Re:CRAP!

openssh (1:3.6.1p2-6.0) unstable; urgency=high

* SECURITY: fix for CAN-2003-0693, buffer allocation error

-- Michael Stone Tue, 16 Sep 2003 08:27:07 -0400

(From Debian Incoming)

Looks like this security fix should make it into debian unstable sometime later today, right now you can grab it from incoming.

Re:CRAP!

[caluml]

Good point. Something like:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW --limit 5/min --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP ...might do the trick of slowing them down. Mind you, you wouldn't be able to get a connection either if they were attacking your box

Re:CRAP!

[loginx]

Portsentry actually has the ability to perform this operation for one specific host at a time so this rule would only apply to the attacker.

Public Service

[Morologous]

Posting this to slashdot is actually a public service, as the exploit description will be /.'d and unable to effectively be disseminated to the bad actors.

Re:Public Service

[bogado]

Posting this to slashdot is actually a public service, as the exploit description will be /.'d and unable to effectively be disseminated to the bad actors.

Also true to the patchs. :-)

Patch

[Karamchand]

Link to a patch.

Full Disclosure

[Full-Disclosure] new ssh exploit?
christopher neitzert chris@neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh
2. add explicit rules to your edge devices allowing ssh from only-known
hosts.
3. put ssh behind a VPN on RFC-1918 space.

On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> Does anyone know of or have source related to a new, and unpublished ssh
> exploit? An ISP I work with has filtered all SSH connections due to
> several root level incidents involving ssh. Any information is
> appreciated.

Telnet

[Henry+V+.009]

Thank god I'm using something secure like Telnet instead.

Re:Telnet

[fliplap]

too bad you're running a stock Solaris installation!

Re:Telnet

if you want to save money you can just get a pair and then breed your own bandwidth.

Re:Telnet

[dasunt]

Of course, if you used telnetd-ssl, you might be correct. :)

[ Caveat: Haven't been following the security problems with telnetd-ssl ]

Re:Telnet

[The+Wicked+Priest]

Yeah, it'd be funny if it wasn't true. The ONE TIME my system has ever been compromised, it was through the !@(*#& SSH daemon. (Not this exploit; a previous one.)

Re:Telnet

[kervel]

same here. i guess telnet is atleast as safe or even safer than ssh in reality ... who ever got owned because of a sniffed plaintext password auth ? and who got owned because a remote root hole in sshd ?

Re:Telnet

I've been looking for a telnets & telnetsd
for a while.
jhudson AT cyberspace D0T org

Re:Telnet

i hate me-too posts, but...

me too. I've been 0wn3d from bugs in server (rpcd) more often (1x) than from sniffed telnet password.

Re:Telnet

[Bitsy+Boffin]

Any time you have the ability to access a shell on the box from the outside world, you have the potential for calamity.

It's a necessary evil, SSH is hopefully the lesser of the evils.

Like a house, if you didn't have doors or windows your house would be pretty secure, but you can't really do that, so we put doors and windows in even though it makes it easier for the bad guys to get in.

very early

[ceswiedler]

At this point basically no one (publically) seems to know what the exploit is. If you want to find out about exploits THIS early, then you should be reading those mailing lists yourself. I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

What's the next article going to be: "Linus Torvalds is in the MIDDLE OF A SENTENCE describing the future for 2.6! In four seconds, we'll finish hearing what he has to say!"

Re:very early

[Qzukk]

There is a patch, but the server that the advisory referenced on the SANS posting is on went down hard while I was in the middle of getting the page, so I only managed to get part of it (thanks, slashdot!) The advisory also indicated that openSSH 3.7 isn't affected.

Re:very early

[NaugaHunter]

On the other hand, it's good to have the heads up if something might not be as secure as we think it is. This warning gives those who turn it on occasionally the knowledge they need to turn it off if not needed, and not just leave it on.

It also may give those who need it on something to watch for until a patch does come out.

Re:very early

[__past__]

Patches are already available, for example from the FreeBSD CVS web. Personally, I'd rather apply it now than waiting for a detailed analysis of the exploit...

Re:very early

[Kaa]

I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

Really?

How about hearing about it when you find your machines rooted?

Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

Re:very early

[FuzzyBad-Mofo]

I don't agree, with this warning those of us running ssh services are informed about the vunerability. Better to have this knowledge and disable ssh than to get hacked and find out about it later..

Re:very early

[s.d.]

Even though there is no patch available (yet)

There is a patch available, as well as it being fixed in 3.7, which was just released this morning. That's the point of all of this. The mention of the bug was in the 3.7 release notes, i believe.

Re:very early

The patch and new release of OpenSSH 3.7p1 was made available at 5 AM EST today.

Re:very early

[pohzer]

..you only get those early warnings if you subscribe ;-)

Re:very early

[jdavidb]

Actually, I've been waiting since this morning to see if this would be confirmed on slashdot or not.

Also, if you'll look around, the exploit is understood, and patches seem to be available, at least according to posts here.

Re:very early

[perp]

Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

Anyone who is relying on slashdot for critical security updates is being extremely irresponsible. If your site is so sensitive, you should have blocked/filtered/whatever ssh last night when it first came out on Full Disclosure or whatever list/service you subscribe to for critical security updates..

Re:very early

[Syberghost]

Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

If you're responsible enough to do that, you aren't hearing about this first on Slashdot.

Re:very early

[colonwq]

I just updated my Debian system and installed the new OpenSsh. At least on Linux distro has been updated for this issue. :wq

Re:very early

[Maditude]

/usr/src> cvsup -g -L 2 /root/my-supfile
Parsing supfile "/root/my-supfile"
Connecting to cvsup11.freebsd.org
Connected to cvsup11.freebsd.org
Rejected by server: Access limit exceeded; try again later
Will retry at 12:13:26

sadly, seems like any freebsd-cvs server near me is already swamped :-(

Re:very early

[caluml]

Actually, I've been waiting since this morning to see if this would be confirmed on slashdot or not.

Confirmed on Slashdot? That's a pretty bizarre thing to do. As if some random submitter and Cmdr Taco are more reliable than securityfocus, sans, openbsd, etc?

Re:very early

[jdavidb]

I don't read those, and I meant confirmation for people like me who are just watching interestedly to see if they need to patch their home systems, rather than people who handle security for large systems or whatever and need genuine confirmation from sources like the ones you listed.

Re:very early

[arkane1234]

I definately have to agree with you there.
Seeing it (simultaneously, which is wierd) on SecurityFocus and on Slashdot gave me the opportunity to turn off SSH on our exposed machines temporarily until we could patch it.
Might have been only 1-2 hours, but that's 1-2 hours of feeling exposed.

Re:very early

You are quite wrong. /. had this up this morning prior to my receiving any mailing list activity regarding it.

I don't sub to full disclosure lists only because of the high traffic content.. I'd never be able to keep up.

Re:very early

[Penguinshit]

"confirmed on slashdot"

sounds like part of a poorly re-written chain email about a new virus called "Good Times".

Re:very early

[glesga_kiss]

Not only does it allow you to disable/filter the service, announcing it in such a public way starts a race between the distro's to get the patches out first.

Nothing confirmed so far...

[ferratus]

Reading the mailing list, it appears that there's nothing confirmed so far. Let's hope its just a false rumour.

There's only one guy that says it its ISP has blocked all incoming SSH connection due to "several root level incidents".

One guy did say that there was a bug somewhere and that a patch existed...No one knows what patch or where it is though.

Let's hope to publish this one quickly before there's any ral damage done.

Re:Nothing confirmed so far...

[Gleef]

ferratus wrote:

Reading the mailing list, it appears that there's nothing confirmed so far. Let's hope its just a false rumour.

Not entirely true, it is confirmed that there is a bug, the bug is possibly exploitable. A little more info (and the patch) can be found at: http://marc.theaimsgroup.com/?l=openbsd-misc&m=106 371592604940&w=2

What hasn't been confirmed is:
A) Is it truly exploitable, or just a bug? and
B) Has it been exploited in the wild?
C) Has it been exploited on a ssh server with privilege separation properly enabled?

Re:Nothing confirmed so far...

[dodobh]

I'll confirm the exploit part of it at least.

Re:Nothing confirmed so far...

[Kakemann]

There's a patch here

A patched ssh package is already available in Debian stable.

-K

Wrapping defense

[secolactico]

Won't having the sshd wrapped (/etc/hosts.allow, /etc/hosts.deny) help offset the damage somewhat?

Re:Wrapping defense

Sure, but from what I see, I'll have to recompile it to do that. I may as will just install the patch.

Re:Wrapping defense

[Minna+Kirai]

That's a partial defense, and relates to a suggestion made in the mailing list announcement of the vulnerability.

However, if you're a paranoid or pessimistic kind of person, you shouldn't rely on hosts.allow to protect you.

Assuming that your ISP is taken over (either by hackers, or the FBI), they can re-number any internet packets destined to you. The hosts_access system will have no way to tell that a datastream is from a spoofed source. The "source address" field of IP packets can be falsified, and there's no way to tell.

However, in normal circumstances ssh can do a better job of verifying remote identity, by using more information than IP headers provide. It checks fingerprints of keys on the remote system, for example. But can we be sure that this feature is still working today, and hasn't been defeated by the latest exploit? That won't be known without expert analysis.

Re:Wrapping defense

Won't having the sshd wrapped (/etc/hosts.allow, /etc/hosts.deny) help offset the damage somewhat?

You bet. It'll "help". By the way, what's your IP address?

Is ths a hoax?

[diodesign]

I just saw the comment in the nmap article and got worried. A friend online showed me this post..

"I wonder if this is in any way related to an incident I heard about on efnet's #openbsd where someone at a european con (hack the planet?) mentioned that details of a new openssh exploit had been taped to the openbsd tent (on the outside) whilst all the openbsd ppl were inside, drunk? I suppose if there is any merit to that story (and I'd rank it as no more than heresay myself, but it does paint a good picture of college level kids :) and it was details of some new vulnerability for which there is an exploit then it has been around for a while...assuming,of course, it is the same "bug"."

I haven't seen anywhere else online go nuts, which is usually how people react to SSH exploits. What's going on?

Re:Is ths a hoax?

[diodesign]

I hate to reply to my own comment but it is misleading, I'm sorry. It most definiately doesn't look like a hoax. Debian already have a patch out - excellent work on their part.

Re:Is ths a hoax?

[technoid_]

You should note that comment came from Darren Reed (of IPFilter fame), who is not a fan of Theo. After the arguements over the IPFilter licensing, a comment like this coming from him doesn't suprise me at all.

technoid

This is why I refuse to use ssh.

[91degrees]

I mean really - telnet is perfectly secure unless you use a direct connection. Use of a quantum tunnelling encryption layer and probabilistic key generation means you get the maturity of telnet with a greater level of security (I'm talking non-recursive factorial strenth here).

ssh is just for losers who can't set up teransparent network layering.

Re:This is why I refuse to use ssh.

[91degrees]

I said "teransparent". What the hell is "transparent network layering?"

install base

If linux was installed on 98% of all machines in the world you can bet there would be a worm by now that would have taken advantage of this. Don't throw too many stones linux users.

Re:install base

..and how many systems would have a SHH service running by default?

Re:install base

Amen

-Let's go to a stonning

-shhhh mother will you be quiet... we can go to a stoning any time

Re:install base

[drunk_as_in_beer]

If linux was installed on 98% of all machines in the world you can bet there would be a worm by now that would have taken advantage of this. Don't throw too many stones linux users.

Any "linux user" who has openssh open to the world is a huge dumbass. What part of "firewall rules" don't you understand?

Furthermore, anyone running any OS, who has any port open to anyone other than themselves is not secure.

Re:install base

[Foolhardy]

And if it's running on 98% of systems, then there will be a large quantity of stupid users using an insecure distro that leaves ssh wide open, along with everything else. Forget about those users even knowing what a port is.

Re:install base

yes, because this is a known automated worm with multiple, independent vectors of infection.
Mod parent down.

Re:install base

[Gay+Nigger]

What part of "IP spoofing" and "exploiting trust relationships" don't you understand?

Re:install base

[Minna+Kirai]

What a troll. Aiming to trick mods into "Informative", I suppose.

Any "linux user" who has openssh open to the world is a huge dumbass. What part of "firewall rules" don't you understand?

How would you suggest it be configured then? Just turn off remote login entirely? Or what other "firewall rule" could help in this situation?

I assume you are suggesting that people only allow ssh access from a specific, previously-known host. That removes much of ssh's utility (no more checking your system from a laptop in the hotel room), and even that sacrifice is not enough to be protective!

An attacker sniffing packets at your ISP can learn exactly which addresses you accept ssh connections over. Then he can spoof from that same address, and go right through the firewall.

The only way to protect yourself from unwanted outside connections is with correct crypto code.

Re:install base

[roca]

Only being installed on 2% of machines (or whatever the number is) is a genuine advantage. It's not a technical advantage, but it is nonetheless very real. Don't knock it.

Put it another way --- software diversity is a good thing.

Re:install base

Good thing there isn't *any* operating system installed on 98% of all machines in the world.

Re:install base

[GSloop]

A spoof will only work if one doesn't need returned packets.

I don't know the nature of this exploit, and perhaps it would be possible to utilize without any return packets. (Though if they are sniffing packets at the ISP, hijacking your connection is probably a possibility.)

The point you made on the origional post is valid though. (If you don't allow connections from almost anywhere, what's the point of remote admin? I almost never have real emergencies when I'm somewhere predictable.) I'm just pointing out that spoofing IP's is only useful if your attack can succeed without any return packets.

If your attacker is sniffing packets from your ISP, then you probably have bigger problems, though one shouldn't expect the ISP to be secure.

Finally, "The only way to protect yourself from unwanted outside connections is with correct crypto code." Funny, I disagree.
The only really secure server is buried in concrete, unlugged and at the bottom of the deepest trench in the ocean. It's *probably* secure there, but I wouldn't bet my life on it.

Cheers,
Greg

Re:install base

[gbjbaanb]

all the web servers that are remotely located, and several that aren't.

Given the number of attacks on web servers are higher for Linux than Windows, (according to nercraft) the truth of his statement is already being shown.

Cast stones at Windows if you like, but be prepared for stones to be thrown at you, for the exact same reasons.

Re:install base

Actually a good way, if you have another service running, is to set up something requiring two services. For example, require users to log into a web app over https, which could open a hole in the firewall to their IP for a few minutes.

Re:install base

[arkanes]

A spoof will only work if one doesn't need returned packets.

Only true as long as you don't control a router upstream from the target. You can do that without neccesarily controlling the ISP.

Re:install base

[diamondc]

If you're running a webserver with ssh installed, then it's your responsibility to keep up with the latest patches, upgrades, etc. Of course with a 0-day exploit like this, it's going to be hard to fix quickly. I'd give the linux/bsd distro's a day to come up with a fix.

What you can do in the meantime, is set PermitRootLogin to No and firewall off ssh cept for a few hosts you login from.

Re:install base

[GSloop]

True I suppose, but that denotes a pretty massive level of control and penetration.

I think in general, spoofs are vastly over-rated in their potential for use in exploits. Short of the old time things like asking for the password file via email or something, I've not heard much in the way of spoofs. Perhaps that is because there is almost always much better low hanging fruit already available.

But thanks, hadn't really thought/didn't immediatly occur to me about controlling a router upstream.

Cheers,
Greg

Re:install base

[IM6100]

You're describing 'security through obscurity' not 'software diversity.'

Re:install base

[Minna+Kirai]

But thanks, hadn't really thought/didn't immediatly occur to me about controlling a router upstream.

Subverting a router at your ISP (directly upstream from you) would be the preferred technique for any federal law-enforcement types who wanted to spy on you. They have physical access anywhere they want, but might prefer not to spook the target into laying low by approaching his home directly. So a "man-in-the-middle" attack at the ISP will be their best plan.

Is FBI survelliance a valid concern for the home user interested in privacy? Maybe not- after all, the innocent have nothing to fear... the police are your friends...

Re:install base

.... and this is what the windows folks have been saying, too.

If you run a server, you're responsible for keeping it patched.

Re:install base

[homer_ca]

We already had the Ramen worm that targeted Linux, and it didn't spread nearly as widely as the Code Red that was rampant on IIS servers at the time. There are already enough BIND, Sendmail and Apache servers on the net to make a Linux a target for worms. Slammer exploited a relatively obscure service and look how it spread. Only a small fraction of Windows computers on the net have SQL or MSDE installed.

Re:install base

[ryanvm]

The only really secure server is buried in concrete, unlugged and at the bottom of the deepest trench in the ocean. It's *probably* secure there, but I wouldn't bet my life on it.

That's okay, I will.

I bet this guy's life that a server on the bottom of the ocean is secure.

Re:install base

"The only really secure server is buried in concrete, unlugged and at the bottom of the deepest trench in the ocean. It's *probably* secure there, but I wouldn't bet my life on it."

nevermind how insecure your data is at that point :P you still have to worry about those fish and other funny creatures down there

Re:install base

[nolife]

It's cool and all to say that but let's be realistic. I am in no way shape or form suggesting security through obscurity here but lets look at this big picture. My firewall lets exactly 3 ip addresses to come in through SSH and it is configured for no root access and must have existing keys. Do you care to try guess which IP's to spoof as? You probably could narrow it down a little if you monitored all of my traffic for a few days but you have no way of doing that from your desk. Think of security in layers, not one pass device.

Re:install base

[ReelOddeeo]

Don't throw too many stones linux users.

Go ahead and throw stoned when they are deserved.

Security problems come in at least two forms.

First, there is the unintentional security bug. People who post to Slashdot in defense of poor Microsoft, getting an undeserved bad reputation for security, usually incorrectly attribute MS's security problems to this type of bug.

This type of security problem, the untentional bug that results in a security problem, can happen to any system. So in this case, MS should not be screamed at any more than you would want to be screamed at for a similar problem.

But there is a second type of security problem. That is when a system is insecure by design. It may not have been a design goal, but the design is still insecure. MS deserves the reputation that they get for this. This happens when security is a low priority compared to other concerns.

Can you say IIS, running under the SYSTEM account, installed and activated by default, with lots of related services also running by default. (Can you say Code Red, Nimbda.) At least Apache runs as "wwwrun" or "nobody", an unprivileged account, even on a distribution where Apache might be installed and run by default.

Re:install base

[arkanes]

It all depends on whats going on. If it's just random messing around and automated scans and whatnot, of course it won't matter that much. But if you're in charge of something important, and someone is specifically targetting you, then you have to be aware of indirect attacks as well as direct ones. Maybe you're locked down as much as you can and you've got your hosts.allow set up correctly, but who knows if your immediate upstream router has unpatched Cisco firmware?

Re:install base

[vladkrupin]

What a troll. Aiming to trick mods into "Informative", I suppose.

No, he meant to get the "Funny" mods, not "Informative". And, you know, if you actually READ what he said, and read the whole post, you'll see it is FUNNY. Too bad he got modded down and I don't have any mod point left to mod him back up. Anyone else got a mod point to spare?

I'd say mod the parent one down and mod the parent's parent one up. That should be just about fair.

Re:install base

[Minna+Kirai]

Do you care to try guess which IP's to spoof as? You probably could narrow it down a little if you monitored all of my traffic for a few days but you have no way of doing that from your desk.

To spoof ssh traffic, I need to be able to both snarf and inject packets at your internet provider. Anyone who's compromised your ISP to the point of being able to spoof already has a way of monitoring your traffic "from his desk".

There's no guessings- the attacker just watches for a long-lived connction on port 22, and uses that IP.

Re:install base

[obdulio]

There is a third form: the corporate policy to deal with exploits.

In this form, M$ is also guilty, because they choose a "security through obscurity" approach. Also they take several days to deliver a patch, their patches sometimes end up breaking something else.

In the Open Source world, a few hours after the exploit is discover, there are already patchs available.

Re:install base

[latroM]

Linux guarantees nothing. You must have openssh.

Re:install base

[GSloop]

"They have physical access anywhere they want..."

Are you saying they have full data stream access anywhere without a court ordered warrent?

I'd be interested in how/what you're talking about.

But, yes, I don't care for what snooping law enorcement seems to be able to do on a whim. But I'd assume that since my machines are not tempest hardened, then they'd just watch anything they want from some place on the street outside my home/business. (Perhaps I'm of the tinfoil ilk, but I'd even casually considered a faraday cage.)

Cheers,
Greg

Re:install base

[smitty45]

if you're controlling a router upstream from the target, the victim had bigger problems than just an ssh exploit.

I agree...spoofing is quite often mentioned and not so well understood (generally speaking) in the community with respect to tcp wrapping. tcp wrapping is always a good idea, and never a bad one, IMHO.

Re:install base

The SHH service?

That must regulate the speed of the fan, right?

Re:install base

[plugger]

Would that be Itanic then?

Re:install base

[Penguinshit]

The number of attacks may be higher, but what are the number of SUCCESSFUL compromises which install the equivalent of a ROOT KIT on said compromised system?

With Windows it's an extremely high number. With Linux running (presumably) Apache, it's extremely low.

Oh, and you can't count an "attack" as someone trying a CodeRed or Nimda exploit against a Linux system...

Bzzzzzt. Try again, Mr. Alchin.

Re:install base

i agree very much. operating systems should have all ports closed by default. especially the big consumer-oriented ones.

Re:install base

you are a fool. you can shout and scream as much as you like about how Windows is crap, and Linux is great but that doesn't help any, nor does it alter the figures we have.

alldas.org shows some statistics. Regardless of what you like to think, Linux is hacked, does attract an increasingly large number of SUCCESSFUL attacks, and the only real hope is to highlight them to show the admins to get the systems patched. Its not a game, or a competition, this is the real world, real businesses.

If a linux system is hacked, then its hacked - don't try to avoid the truth by saying 'yes, but its ok cos windows is hacked more' -= who gives a sh*t? That's a hacked linux box you have. Don't argue over whether Windows is more at fault. admit it and fix it.

Re:install base

[Penguinshit]

yup.. real world, real business. Which is why none of my businesses will use Microsoft.

And no one said Linux is "unbreakable". However, the relative ease of attacks (and the recurring number of duplicate and/or very-similar vulnerabilities) which occur in any MS-oriented OS very definitively tips the scales in favor of a *NIX-based OS (be it Unix, BSD, or Linux).

A system that requires in-depth knowledge of systems and protocols to break is a lot less likely to cause downtime and loss of revenue than one which allows some dipshit with a "VBS for Dummies" book to thoroughly root time and again.

So your argument is useless; you can't just compare absolutes (A is hackable, and so is B, so they are equal). You must further qualify the statement. And under any rational real-world business qualification, you and your favorite little OS fail it much more often than mine.

So, again, "Bzzzzt. Try again Mr. Alchin."

bugs??

[maximum_high]

Is it the same bug that requires me to type the full word "yes" or "no", and not shortcut keys 'y'/'n', when I want to connect to a remote server??

=)

Re:bugs??

Apparently so. If you type r00t! instead then SSH will connect to the remote server and log you in as the root user, without a password! Its amazing no one has noticed this before.

Re:bugs??

Is it the same bug that requires me to type the full word "yes" or "no", and not shortcut keys 'y'/'n', when I want to connect to a remote server??

Looks like you were hacked. Upgrade to telnet 1.0 and report to alt.2600.hackerz immediately. Wait for further instructions appearing on your screen.

Re:bugs??

[capnjack41]

You can type "yes/default.ida?XXXXXXXXXXXXXX%u9090%u6858%ucbd3" to create a buffer overflow and get instant root access, I have a script that does it automatically if you want it

/.'d -- Page gone already...

[whoami-ky]

Anybody got a copy on a REAL server?

Bits and pieces so far...

[Oestergaard]

Yes, there is a vuln. in 3.6. You need to upgrade to 3.7 which was released today, to be safe (well, 'safer' anyway).

It will be 3.7p1 for us non-OpenBSD people.

It is a patch to one file, buffer.c, which fixes some allocation/offset stuff.

It seems that privilege separation does *not* help here - so get them systems patched (and firewalled)!

Re:Bits and pieces so far...

Don't say vuln. Say vulnerability. You know how to spell it:

vuln + er + ability

You know "vuln" say to yourself, "er" then say "ability." Now you know how to spell vulnerability.

When I was a kid, I would always write "lang" when referring to that subject in school. Then my mom pointed out that I know how to spell it:

lang + u + age

What's so hard about that? Personally, I have issues with spelling, but I'd rather spell it wrong a little than abbreviate for the same reason. Anyway...go back to work.

Oh great

[Sir+Haxalot]

Nice idea putting it on Slashdot, now it's out of the wild.

guess who

[dwakeman]

Damn trinity and her sshnuke...

Suggestions for a newbie?

[johnny1111_23]

Am pretty new to Linux, and am currently running a Lindows 4.0 installation my dad put on my computer.

How worried should I really be about this? And what steps should I be taking (or ask dad to take)? Since I gather Lindows is similar to Debian, should I just look for a Debian tutorial?

Thanks in advance.

Re:Suggestions for a newbie?

Lindows is similar in the fact it's based on Linux, but the security model is different (forcing all users to root priviliges). I wonder if sshd runs as root as well?

Re:Suggestions for a newbie?

[Ewan]

I don't think lindows runs the ssh server by default, so I'd imagine you're fine.

Re:Suggestions for a newbie?

[Abcd1234]

Simple question: If it's Lindows, a) is it running sshd in the first place? And if so, b) *why* is it running sshd, since, in my estimation, an average Lindows user probably doesn't need sshd running. Of course, if you don't need sshd (since you don't access your box remotely), the obvious thing to do is kill and uninstall it (apt-get remove sshd), since it's just one more thing that could have a remote exploit in it.

Now, if you feel you need sshd, but can go without for a while, uninstall sshd in the short term and wait for an upgrade for your OS, at which point you can safely reinstall (it's a simple "apt-get install sshd").

Re:Suggestions for a newbie?

There is no reason to be running SSH daemon on a desktop machine, especially one where you are always root. open a console and type 'netstat -a | grep ssh', if it's running mail Lindows support and tell them they are morons from AC on \.

Re:Suggestions for a newbie?

I'm afraid it means that everything you've installed so far is corrupt, and all your efforts have been wasted. Quickly now, go to your nearest office supply store, get a copy of Windows XP and start over, before the damage spreads!

Re:Suggestions for a newbie?

[vadim_t]

If you're running a SSH server, and can live without it for a while, you could just stop it.

As root, run: /etc/init.d/ssh stop

Then, when you get it patched: /etc/init.d/ssh start

Have in mind that usually it will be started automatically on boot.

This works for Debian, in other distributions it may be called 'sshd' instead. If you don't have that file then probably you aren't running a ssh server.

Re:Suggestions for a newbie?

As far as I know Lindows does not run any services by default. Hence sshd should not be running. To check type

ps -Af |grep sshd

and see if there is an entry for it. If so then turn it off (does Lindows have a GUI for configuring services?).

Re:Suggestions for a newbie?

If you don't have some kind of firewall between you and the Internet, here's an option you should seriously consider (look for the DI-604). It's basic, quick and easy to install, and should provide you with some level of protection. At that point, you'll have bought yourself some time to learn a bit more about Linux and how to update your particular distribution to deal with the occasional security concern.

Re:Suggestions for a newbie?

[Methiphisto]

Are you behind a firewall? If you are using a device such as a nat dsl router that is blocking the ssh port inbound then you are pretty safe. As always, the best bet is to disable services that aren't absolutely necessary. So if you have no need to ssh in to the lindows machine you can disable sshd and have no worries at all about sshd exploits. As for Lindows, don't really know anything about it. Do they release patches? If so, and you really do need incoming ssh, then you might disable it until a patch becomes available. Just my 2c, hope it helps.

Re:Suggestions for a newbie?

[mendred]

This is primarily of concern to servers. Since u are using lindows i guess ur primary objective will be to use it as a desktop. I have no idea what lindows' default config is but i would guess it should be bare minimum on the services front( essential stuff like xinetd. The thing is turn off whatever services u don't require. In this case i think u can safely turn off sshd as well. run nmap and see what ports u have open and knock off whatever u don't use. command will be something like nmap localhost. And of course create another user for ur daily work don't work as root. That should take care of most of ur problems. And if ur comp is always on the net, shut it down when not in use :). Welcome to the wonderful world of linux. If the above sounds like greek and latin, feel free to ask for clarifications, or just search the net u have enough resources. Or since u have paid for lindows u should be entitled to some user support i guess check there as well.

Re:Suggestions for a newbie?

[The+Grey+Mouser]

How worried should I really be about this? And what steps should I be taking (or ask dad to take)? Since I gather Lindows is similar to Debian, should I just look for a Debian tutorial?


If you don't log on to your computer from another machine at school or wherever, then the safest thing would be to ensure that the ssh daemon is disabled. You can test this by just trying a "ssh localhost" at a command prompt. If you get a "Connection Refused" message, you're probably fine. To make sure, try executing "/etc/init.d/ssh stop" as root (might also be /etc/init.d/sshd, not sure about Lindows). It will come back on after a reboot though, so you'll want a more permanent solution, which involves moving one of the startup scripts in a /etc/init.d/ subdirectory. If you have trouble, reply and we'll get you sorted out.

Cheers,

Mouser

Re:Suggestions for a newbie?

[p3d0]

tell them they are morons from AC on \.

On backslashdot?

Re:Suggestions for a newbie?

[Overly+Critical+Guy]

With the report last week of Linux being the most-breached operating system, I find this new vulnerability highly amusing.

I know I'll get modded down for this, but I want to say it anyway. People overbash Windows and underbash Linux. There is a double standard, where the "latest Microsoft hole" is this big deal, a statement of how Windows shouldn't be used by anyone, of how evil and terrible and inadequate Microsoft is. Any sort of Linux hole is just a patch to be swept under the rug and forgotten.

Re:Suggestions for a newbie?

Some of us AC's lean a little to the left around here.

Re:Suggestions for a newbie?

It could also be running out of inetd, in which case you won't see the process listed.

Re:Suggestions for a newbie?

[ispeters]

I would guess you probably don't have to worry too much, but to be safe, rather than sorry, you should try to ascertain whether sshd is even running on your machine. If it's not, you have nothing to worry about. If it is, you should turn it off, and then upgrade to the latest version.

If you get yourself to a command line and type in

ps aux | grep sshd

You should see whether or not you have an ssh server running. If you do, you probably want to turn it off until you can get your system updated.

Hopefully someone who uses Debian or Lindows can tell you how to turn off sshd, I've never used either OS, so I'm not sure.

As a guess, look for something in your interface that talks about managing network servers, daemons, or services. You want to stop sshd (it might be listed as just ssh), and prevent it from starting up again when you reboot your machine.

If you're behind a firewall that filters port 22, you're probably fine either way since ssh listens on port 22, and the firewall is blocking access.

Hopefully someone else with more knowledge can fill in my gaps. In a lot of ways I'm still a GNU/Linux newbie, myself.

Good luck!

Ian

Re:Suggestions for a newbie?

People overbash Windows and underbash Linux. There is a double standard, where the "latest Microsoft hole" is this big deal, a statement of how Windows shouldn't be used by anyone, of how evil and terrible and inadequate Microsoft is. Any sort of Linux hole is just a patch to be swept under the rug and forgotten.
Sorry, but there is a difference. Some windows holes arise from design flaws, and even non-coders can see why such a design is bad, and bash Microsoft. Since changing the design would brake some Software, Microsoft tries to fix the exploit without changing the design, a somtimes impossible mission. So the next exploit of the same flaw comes along, and admins start to get realy angry.

Re:Suggestions for a newbie?

[miffo.swe]

Hey newb, welcome!

You shouldnt have ssh running on a normal desktop unless you really need to get into the computer from some other place. If you are unsure you can see if it is running by either open a terminal and typing

netstat -l

or

ps -A

(and look after sshd)

If you dont use it and it is installed then uninstall it. It isnt somehting needed in your computer and you dont damage anything by removing it.

as a side note.

This is becoming interesting atleast to me. I have seen more and more posts like this where parents introduce their kids to linux instead of the opposite. Its too soon to speculate but its an interesting trend.

Re:Suggestions for a newbie?

[stonecypher]

I love how this guy completely ignores the original poster's question, instead making asumpions about his skill, makes a few snide comments, tells him to get rid of a legitimate tool instead of how to patch it like the guy wanted, and still gets modded +4 informative.

I'd answer, 'xcept I'm not a Linux user, so I don't actually know.

Re:Suggestions for a newbie?

"Now, if you feel you need sshd, but can go without for a while, uninstall sshd in the short term and wait for an upgrade for your OS, at which point you can safely reinstall (it's a simple "apt-get install sshd")."

What part of this sentance dosen't meet the criteria for "how to patch it like the guy wanted" ?

For chrissakes, the kid dosen't even know if he has to be worried about SSH, dosen't know if it's running, dosen't know what version it is, and probably has never ever used it, even if it is running by all estimation.

'xcept you're not a Linux user so you have no clue yourself, and should keep your mouth shut on matters that are over your head.

Re:Suggestions for a newbie?

[metamatic]

Something you seem to have missed is that Linux is open source, making it much easier to find exploitable holes. Imagine how many exploits would be uncovered in Windows if we could read the source code.

In fact, you don't need to imagine it. Microsoft are on the record as stating that it's one of the reasons why they can't possibly reveal Windows source mode widely.

Re:Suggestions for a newbie?

You should install some form of system-wide stack protection on your system, then you usually need worry very little. I'd recommend installing the 'libsafe' package, it's extremely quick and easy. It isn't a replacement for keeping current on updates and patches, but it takes out some of the urgency, since 80-90% of exploits won't work on your system.

Re:Suggestions for a newbie?

Ok. Should I get Windows XP Home edition or Professional?

Re:Suggestions for a newbie?

[blazerw11]

There's a difference between getting your site hacked because your ISP forces you to use FTP giving hackers clear text id/password combos to use and your computer being hacked because the software is buggy.

This open ssh bug is "believed" to be a vulnerability, but they didn't want to worry about trying to find out if it was. They found the bug in a code audit and fixed it. They weren't forced to reveal it because of a threat of bad publicity.

And finally:
With the report last week of Linux being the most-breached operating system
A very misleading statement, as this study only counted breachs by a human hacker and not a auto-vulnerability (worm, virus, etc.). There own statistics prove this, note the following lines from the article:

The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).

The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.

Clearly, overall server attacks were down while just as clearly, all attacks were up. In fact, server attacks were 1/40th of the economic cost of all attacks. The dwindling cost of server attacks is probably attributed to the continued movement of web servers to apache and away from anything MS.

Re:Suggestions for a newbie?

[Abcd1234]

Umm... the guy *said* he was a fscking newbie! Now, do you really want to try and instruct a newbie on how to download, patch, and recompile a vital package like sshd? Hell, he probably doesn't even have all the devel packages necessary to compiled sshd by hand (openssl-dev, etc), since there's no reason Lindows would have them installed by default. So you'd have to instruct them on how to figure out which packages they need, AND how to install those packages... yeah, brilliant.

Moreover, if this person is a new Linux user, they probably haven't made use of the remote admin capabilities yet, meaning sshd is totally useless for them. So, why bother going through all the effort to rebuild when you can just uninstall the damned thing and move on?

Christ, there's nothing wrong with treating a newbie like a newbie... especially when it comes to vital issues like security. Better to give the simple, straightforward instructions than to try and get them to jump through hoops they aren't prepared to jump through yet.

Re:Suggestions for a newbie?

[WindBourne]

while I am not a lindows user, I do not believe that Lindows uses a different security model. They simply have the initial main user as root. You can quickly get out of it. I would guess that daemons are treated as normal and given their own uid/gid.

Re:Suggestions for a newbie?

Better a little bit to the left than a fasicists on the far right.

Re:Suggestions for a newbie?

Be ahead of the game;
Get the one with millions of bugs, viruses, and BSA,RIAA,MPAA knocking on your door.
Oh, any MS product will do.

Re:Suggestions for a newbie?

[WindBourne]

better yet
service sshd stop
and
service sshd start
substitue ssh for sshd iff that does not work.

Re:Suggestions for a newbie?

Great idea. Put another BSD or Linux between your linux box and the internet.

Re:Suggestions for a newbie?

[WindBourne]

Judging by the number of comments on this application hole (not Linux), I would say it is getting a lot of attention.

In addition, /. does not pay attention to MS's holes. There would be no room for any other stories.

They do pay attention to the ones that seem to be causeing literally 26-50 billion dollars of damage in the USA for one hole though.

I suspect that if any Linux/BSD hole allowed for more than 1 million dollar of damage that it would be all over the news. And that would be with the fact that there are more *nix servers than MS servers on the web.

Re:Suggestions for a newbie?

[pohl]

I thought his answer was accurate and polite...but, then, I read it with a dispassionate tone of voice. Maybe if you read it again (without the assupmtion that the author is being snide) you would agree?

Re:Suggestions for a newbie?

and what about xinetd/inetd set up?
If you really do not know if it is running, then try
telnet localhost 22
If you connect, then it is running on that port. I will not worry about it running on some other port.
Even better yet, use
nmap localhost
and
nmap IP
where IP is the current default ip on the system.

Re:Suggestions for a newbie?

Wait for the new version 3.1 :-)

Re:Suggestions for a newbie?

[Tony-A]

Regardless, if it has a hole and you aren't using it, uninstall it is very sound advice. Any system, any level.
OpenSSH is a legitimate tool. In come contexts it is essential. However, Lindows and SSH don't really seem to go together.

Re:Suggestions for a newbie?

[SmallFurryCreature]

Well, check if you are running ssh. How? I presume you know how to open terminal window. It is the command line interface where you give typed commands like "cd" "ls" and such. (I don't know how lindows users use their pc, I was amazed when I spoke to a windows user who didn't no what a dos windows was).

You can probably open a terminal window from the menu. Look for something named terminal/xterm/commandline.

Anyway when you opened a window you can do two things. The first command is "ps -aux | grep ssh" this will return all processes running that got ssh in their name. Typically all ssh server programs plus any sessions. If you see only ONE line and that line contains "grep ssh" then you are fine. That one line is the process you just ran looking for it. If it contains no lines you are also find. If one of the lines contains SSHD, then you are not fine.

You should then use the upgrade tools to upgrade your software. Or disable ssh. Get help from lindows (you paid for support for a reason) how to do this as this would be guess work for me and probably most other people here.

Try looking around a bit...

[LittleLebowskiUrbanA]

This has already been posted and a fix (upgrade to 3.7) has been posted to www.deadly.org

GOOD!! Red Hat, fix your RPMs!!

[RedHat+Rocky]

Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred with their last patch!

Re:GOOD!! Red Hat, fix your RPMs!!

[Seth+Finklestein]

Gentoo

emerge ssh

Debian

apt-get update

Red Hat

rpm -Uvh ssh-1.2.3-4.5.6.i386.rpm
error: unresolved dependencies
(45 lines snipped)

* RedhatLuser has joined #linux
<RedhatLuser> I tryd to upgrade ssh but it gave me a err
<@L1nuxg0d> stfu loser
* RedhatLuser was kicked by L1nuxg0d (h4h4h4 redhat suxxxx)

Re:GOOD!! Red Hat, fix your RPMs!!

[opkool]

How to fix your RedHat box:

1.- Download the file openssh-3.7p1-1.src.rpm from any of the mirrors. For example:
ftp://ftp.easynet.be/openssh/portable/rp m/SRPMS/op enssh-3.7p1-1.src.rpm

2.- Build an .rpm for your RedHat Linux version:

# rpm --rebuild openssh-3.7p1-1.src.rpm

3.- Upgrade your OpenSSH packages:

# rpm -Fvh /usr/src/redhat/RPMS/i386/openssh-*.rpm

4.- Re-start your sshd daemon:

service sshd restart

5. Profit!^H^H^H^H^H errr, that's it.

Peace.

Re:GOOD!! Red Hat, fix your RPMs!!

[Zigg]

I think you mean:

Gentoo

emerge ssh

* GentooLamer has joined #gentoo
<GentooLamer> recompiling ssh right now, got some good pr0n to watch in the meantime
<fomit-instructions> yeah me too
<gcc-O9> I'm out of pr0n I compiled KDE last week

Re:GOOD!! Red Hat, fix your RPMs!!

Are you referring to the delay? or the log problem?

Re:GOOD!! Red Hat, fix your RPMs!!

[Shiblon]

For those of us using a newer version of RPM, use:

> rpmbuild --rebuild openssh-3.7p1-1.src.rpm

Re:GOOD!! Red Hat, fix your RPMs!!

[rakarnik]

It's on RedHat Network, so you can use up2date. I did "up2date -u", which updated openssh, openssh-askpass, openssh-askpass-gnome, openssh-clients and openssh-server. You still have to do step 5 above, restarting the ssh server.

Re:GOOD!! Red Hat, fix your RPMs!!

[Kynde]

won't build on RH9... rh7.3 still compiling

Re:GOOD!! Red Hat, fix your RPMs!!

[RedHat+Rocky]

How to fix your RedHat box

And then prepare to do that for the rest of the life of your installation? I'd rather have a blessed Redhat rpm AND have them fix what they broke in the first place!

Note, many of us are using an ftp mirror with something like autorpm to manage a large number of boxen.

Re:GOOD!! Red Hat, fix your RPMs!!

[LordDartan]

Of course, if you don't have gtk2 installed, you'll soon find out that this won't work (as I just found out on an alpha running Redhat 7.2). In that case, just take the openssh.spec file from the source rpm, change it to not use gtk2 for the gnome-askpass part and then run rpm -ba openssh.spec (make sure you have a tarball of the latest openssh in the same directory).

Re:GOOD!! Red Hat, fix your RPMs!!

[Russ+Steffen]

For the record, the Red Hat packages released today to appear to address the bug you're referring to.

Re:GOOD!! Red Hat, fix your RPMs!!

RedHat
-you have done "rhn_register --nox", don't you
-run "up2date -u openssh"
And all dependencies are handled (did handle in my RHL 7.3 env.)

AC

Re:GOOD!! Red Hat, fix your RPMs!!

[JamieF]

1- get the RPM, which won't rebuild successfully because you don't have GTK 2 installed.
ncftpget ftp://ftp.easynet.be/openssh/portable/rpm/SRPMS/op enssh-3.7p1-1.src.rpm
(remove the stupid space that /. added to "openssh" in the above URL where it says "op enssh")

2- install the sources so you can edit the RPM spec file
rpm -ihv openssh-3.7p1-1.src.rpm

3- cd to where the spec file was installed
cd /usr/src/redhat/SPECS/

4- patch the spec file so that it doesn't depend on GTK 2 anymore. (Or just manually change the 1 on line 24 to a 0.)
patch EOF
--- openssh.spec-orig Wed Sep 17 15:08:44 2003
+++ openssh.spec Wed Sep 17 15:39:04 2003
@@ -20,8 +20,8 @@
# Do we want smartcard support (1=yes 0=no)
%define scard 0

-# Use GTK2 instead of GNOME in gnome-ssh-askpass
-%define gtk2 1
+# Use GNOME instead of GTK2 in gnome-ssh-askpass
+%define gtk2 0

# Is this build for RHL 6.x?
%define build6x 0
EOF

5- build the SRPM with the new spec file. (It will appear in /usr/src/redhat/SRPMS so you might want to make sure the original isn't also in there.)
rpm -bs openssh.spec

OK, now you can rebuild and install the SRPM... which is the part that failed before.

6- rebuild the binary RPM (This takes 3 1/2 minutes on my PIII-500 box)
rpm --rebuild /usr/src/redhat/SRPMS/openssh-3.7p1-1.src.rpm

7- Check the last few lines of output. Hopefully about 15 lines from the end, it says:
Wrote: /usr/src/redhat/RPMS/i386/openssh-3.7p1-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/openssh-clients-3.7p1-1. i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/openssh-server-3.7p1-1.i 386.rpm
Wrote: /usr/src/redhat/RPMS/i386/openssh-askpass-3.7p1-1. i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/openssh-askpass-gnome-3. 7p1-1.i386.rpm

Now you have binary RPMs that you can install. If this failed, you have some other problem to fix.

8- "Freshen" OpenSSH on your system using the binary RPM you just made
cd /usr/src/redhat/RPMS/i386/
rpm -Fvh openssh-3.7p1-1.i386.rpm openssh-askpass-3.7p1-1.i386.rpm \
openssh-askpass-gnome-3.7p1-1.i386.rpm openssh-clients-3.7p1-1.i386.rpm \
openssh-server-3.7p1-1.i386.rpm

9- [Re]start sshd /etc/rc.d/init.d/sshd restart

10 - Raise arms above head and shout "Woo hoo!"

11- Undo any temporary measures (firewall rule changes) that you put in place to keep from getting 0wn3d :)

Deja Vu - June 2002

[vasqzr]

SSH brings down the house....again

I haven't noticed any scanning or anything going on here at work, but I'm disabling SSH for now...

I saw this exploit used

[teamhasnoi]

I was at the local library, and some kids were on a computer, talking loudly. They seemed to be rather excited about something.

A librarian peeked around the corner to see where the noise was coming from, then put her finger to her lips and said, "Ssh!"

The kids ignored her and kept talking, completely and utterly exploiting the hole, and circumventing the 'Ssh'!

Never was I so frightened.

Re:I saw this exploit used

LOL! Certainly made my day.

Re:I saw this exploit used

Exploiting who's hole?

The lengths some people will goto..

The lengths some people will goto...

You mean they're doing it in Basic?!!

Re:The lengths some people will goto..

[emandavis517]

No they're using FORTRAN

quick fix for debian

% apt-get source ssh
% cd openssh-3.6.1p2 # this in unstable, might be a different version in testing/stable
% wget --user-agent="mozilla" -O - \
'http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/ openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h&f= u' | \
patch -p3
% fakeroot debian/rules binary
% cd ..

And you should have new packages ready to be installed..

Re:quick fix for debian

[edwdig]

A fix is already in stable.

Re:quick fix for debian

The grandparent is still useful for those who are on unstable or testing. Unstable/testing uses the 3.6.1 openssh version, while stable is at the 3.4. By using the fix available on security.debian.org, you're effectively downgrading openssh.

Typical!

[Luguber123]

Just when I spent all day setting up password less authentication I have to revert to ..

Re:Typical!

[arkane1234]

I've upgraded (Gentoo and Redhat, 2 different sites) and the authentication was alright.
I use authentication keys on both sites.

But later than mainstream politics

[devphil]

You're correct; this is often more noise than signal. But /. is simply following the major media in this respect. How many times have you seen a headline like, " To Announce ," where the body largely consists of a pre-announcement of the announcement?

Update for debian

[Oestergaard]

An updated ssh package just hit the Debian security mirrors.

For anyone running debian stable:
apt-get update
apt-get upgrade

Re:Update for debian

[chrysrobyn]

An updated ssh package just hit the Debian security mirrors.

Can you share what version is fixed for the Debian folks? I did my apt-get update&&apt-get install ssh and came back with ssh 1:3.4p1-1, but I don't know how recent this is, or if I got a bad mirror or...

Re:Update for debian

[garcia]

I have OpenSSH 3.6pwhatever and the debian security mirrors in my sources.list and there is no update available at this time from what I can see.

Re:Update for debian

[ZarfMouse]

openssh (1:3.4p1-1.1) stable-security; urgency=high

* NMU by the security team.
* Merge patch from OpenBSD to fix a security problem in buffer handling

-- Wichert Akkerman Tue, 16 Sep 2003 13:06:31 +0200

Re:Update for debian

[bartman]

Debian is absolutely amazing.

bug 211205, which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.

Really good stuff.

Re:Update for debian

for those of us that aren't 10 years behind the times and aren't running Debian stable, there is no patch available *yet*.

Re:Update for debian

[ThogScully]

I just downloaded 1:3.4p1-1.1 on my servers.
-N

Re:Update for debian

[bartman]

openssh_3.4p1-1.1 is the one you want. Check the patch... openssh_3.4p1-1.1.diff.gz

Re:Update for debian

[Minna+Kirai]

openssh (1:3.4p1-1) testing; urgency=high

* thanks to the security team for their work
* no thanks to ISS/Theo de Raadt for their handling of these bugs

-- Matthew Vernon Fri, 28 Jun 2002 17:20:59 +0100

Re:Update for debian

[John+Hasler]

There are no Debian security mirrors.

(There may be some unofficial ones but you'd be an idiot to use them).

Re:Update for debian

[Oestergaard]

It seems that you are right... Just one box. Impressive.

It's impressive in more ways than that - a quick nmap run shows that it has *heaps* of services running, freely available from the net. Among them, postgres, (some) named and SSH.

Apart from the single-point-of-failure problem, why on earth are we running updates from a machine with more holes than a swiss cheese?

Wouldn't it be pretty simple to find an exploit in one of the many services (I bet postgresql will have an overflow or two, having it available from the net is insane to put it mildly), upload a new backdoor'ed SSH package and, say, post a story to slashdot about an SSH hole?

(Yes it does seem that this particular SSH exploit is legitimate, because of references from other sites - the above was just an example).

Just a snippet from the nmap run

21/tcp open ftp
22/tcp open ssh
53/tcp open domain
79/tcp open finger
80/tcp open http
113/tcp open auth
487/tcp open saft
873/tcp open rsync
5432/tcp open postgres

Re:Update for debian

[vicviper]

<AOL> Me too! </AOL>

Situations like this are why I like^W love using debian. Now only if that ptrace thing had been fixed sooner (by an official debian package...)

Re:Update for debian

[Ambassador+Kosh]

Actually there is. http://incoming.debian.org Whenever there is a security exploit the odds are the fix is already in incoming right away. Otherwise that should go into sid in about 6 hours I think.

For i386 the exact link is http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.de b

Re:Update for debian

[jbgeorge]

FYI: deb http://security.debian.org/ stable/updates main contrib non-free or deb http://security.debian.org/ woody/updates main contrib non-free should be in your /etc/apt/sources.list

Re: Update for debian

[er_col]

Not in unstable as of 12:30 PM.

Re:Update for debian

Most of these are pretty defensible, given what the box does. Curious about postgres though.

Re: Update for debian

> Not in unstable as of 12:30 PM.

Try in incoming.

Re:Update for debian

[RedHat+Rocky]

Just because a port is open, that does not mean an actual app is there to exploit.

For example, I like to run portsentry. It opens all kinds of ports; any connection to one of those ports results in that IP being DROPPED by iptables.

One could (SHOULD) be running tcpwrappers with openssh, which would also be the proper protection for this ssh problem. And who says the machine doesn't already have the patch that it HOSTS?

Re:Update for debian

[Oestergaard]

What? No!

vsftpd is defensible, given that it's an FTP server. And that's it.

Why do *I* need SSH, finger, DNS, PostgreSQL, ..., services from that machine? I don't!

If you telnet to a known postgresql server and send it 'asdf', it will reply with 'EFATAL 1: invalid length of startup packet'. When you telnet to security.debian.org on it's postgresql port, it responds with exactly the same message.

So, to answer the other poster: it pretty much looks like a postgresql server - and it sure didn't firewall me away.

Re:Update for debian

[Syberghost]

Just because a port is open, that does not mean an actual app is there to exploit.

Welcome to two stories ago.

Re: Update for debian

[Syberghost]

Not in unstable as of 12:30 PM.

apt-cache policy ssh
ssh:
Installed: 1:3.6.1p2-6
Candidate: 1:3.6.1p2-6

Get a better mirror.

Re: Update for debian

[er_col]

Installed: 1:3.6.1p2-6
Candidate: 1:3.6.1p2-6

I don't think this is the fixed version though.

Re:Update for debian

[asdfghjklqwertyuiop]

Why is it still marked outstanding (1:08PM EDT)?

Re: Update for debian

[Syberghost]

I don't think this is the fixed version though.

it is.

Re: Update for debian

[Syberghost]

Grrr. It is not. Maybe. Damn thing is unclear.

Time to go look at the fscking source.

Re: Update for debian

[Syberghost]

You're right, I just checked the source, and it isn't.

My bad. Sorry.

Re:Update for debian

[rectanus]

Better yet, this will fix stable as well as 'downgrade' your testing/unstable to stable, patched until testing/unstable has it...

apt-get update
apt-get install ssh/stable

Assuming you have /etc/apt/sources.list correct:

deb http://security.debian.org/ stable/updates main

You should still firewall if possible.

-Brian

Re:Update for debian

[bartman]

probably because the DSA was not drafted yet.

but the packages are in the security deb pool, and more importantly available through apt.

Re:Update for debian

[asdfghjklqwertyuiop]

Yeah, I noticed an ssh upgrade was released, but the bug still was marked outstanding on the webpage, so I didn't trust it. Is 'ssh 1:3.4p1-1' the fixed package?

Re:Update for debian

[bartman]

yes it does. I looked over the debdiff... but why would you trust me. check for yourself.

Re:Update for debian

[dmorelli]

I think 1:3.6.1p2-6 is the fixed one, according to the bug log at the top of this thread and also what happened on one of my systems (that's got unstable).

I think this is still open because testing/unstable is patched but stable isn't getting it yet, I have another system that's based on stable and is still at 1:3.4p1-1

I'm just guessing based on what happened during apt-get install just now. Somebody correct me if this is wrong.

Re:Update for debian

[dietz]

Somebody correct me if this is wrong.

That's wrong. Stable is patched, if you're using the security apt lines.

deb http://security.debian.org/ stable/updates main contrib non-free

1:3.4.1p1-1.1 is the patched version.

openssh (1:3.4p1-1.1) stable-security; urgency=high

* NMU by the security team.
* Merge patch from OpenBSD to fix a security problem in buffer handling

-- Wichert Akkerman <wakkerma@debian.org> Tue, 16 Sep 2003 13:06:31 +0200

Re:Update for debian

[dmorelli]

Thank you! I should have read the docs before I posted.

Re:Update for debian

[Geertn]

Unstable is also fixed, the fixed version is: ssh_3.6.1p2-6.0_i386.deb You can download the fixed version from: http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.de b

Re:Update for debian

[Nevyn]

Debian is absolutely amazing.

bug 211205, which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.

Yeh, just a pity about the exim exploit that took a couple of weeks for them to fix.

Re:Update for debian

[MattW]

Even on a far more secure box, you'd be a fool to trust the package. It will be assembled off the server, however, and signed by a maintainer. So don't trust the package -- trust the maintainer sig. Which means you need the key way ahead of time, so you know the key wasn't just replaced along with the package.

Re:Update for debian

[Cecil]

I'm not sure why debian doesn't use postfix by default. Is the license too free for them?

In all my experience, qmail is the most featureful (but tremendously frustrating, and the license sucks), postfix is almost as featureful, very simple to configure, use, and maintain, and has a great license. exim is last place. Well, unless you consider sendmail which I wouldn't touch with a ten foot pole.

Re:Update for debian

[cjwatson]

1:3.6.1p2-6 is *not* fixed; you need 1:3.6.1p2-6.0 or 1:3.6.1p2-7 for unstable. A fix will be released for testing shortly too (since upgrades to testing are currently largely stalled due to glibc 2.3.2).

Re: Update for debian

[cjwatson]

Updates to unstable only happen once a day. Even if they happened more quickly on the master server, the mirrors only sync once a day anyway. Unstable was fixed in the first daily update following the announcement.

Re:Update for debian

[krmt]

Historical reasons, apparently. When exim was chosen as the default MTA for Debian, postfix's license was in review and it wasn't sure as to whether or not it satisfied the DFSG. There was a discussion about changing the default MTA for the next release (here is the thread) but no real progress was made. exim4 seems like it'll be a perfectly fine choice, especially since no truly compelling argument could be made to switch, as much as I'd root for postfix myself.

Re:Update for debian

[Smoking]

Apart from the single-point-of-failure problem, why on earth are we running updates from a machine with more holes than a swiss cheese?

As a swiss citizen, I cannot accept this kind of insult to our good products. A swiss cheese has far less holes than that, and moreover, I have yet to see a Postgres version for Gruyeres or Emmental...

Q

C and security... again

Remind me why the most security critical part of ssh is written in C again... shouldn't a supposedly security conscious group be using a more suitable language?

Re:C and security... again

[twistedcubic]

Actually, it's written in Java. However when people discuss the code, they translate it to C because most people can speak C. It's kinda like Latin, ya know.

Re:C and security... again

Yes I cant fathom that myself.. It's unbelievable that a group of people which claims to take security seriously would rely on "careful coding" instead of making most of the bugs impossible.

And oCaMl is fast enough too..

Debian patch available

[Stephen+Williams]

A patch for Debian stable is available already. If you're running Debian on a server and have ssh installed, "apt-get update; apt-get upgrade" should pick it up. The new package version is 1:3.4p1-1.1.

-Stephen

Re:Debian patch available

[twistedcubic]

A new version is already available from the obenbsd.org site: openssh-3.7p1.tar.gz

Re:Debian patch available

[gomoX]

Aaah i just cant help it:

1) ssh server
2) apt-get update && apt-get upgrade
3) Do you want to continue? [Y/n] y
Get:1 http://security.debian.org stable/updates/main ssh 1:3.4p1-1.1 [642kB]
4) minimize xterm to see the nice pink vortex in the desktop background (in other terms, PROFIT!!)

Oh come on Taco....

[greymond]

"In the last few hours there have been several reports of a M$ bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Billy Gate's pride."

See how easy it is - that should be a -1 flamebait topic on your post.

Now that thats over with I belive (read: may be mistaken) but the latest version from www.openssh.com addresses that issue. But it could just be a similar issue and i'm reading it wrong. If I am enlighten me.

Debian's already got the patch.

[cbiltcliffe]

I'm installing it as we speak on all my Woody machines.

apt-get update
apt-get upgrade

Re:Debian's already got the patch.

[Bombcar]

I'm installing it as we speak on all my Woody....

apt-get up....

apt-get up....

Sorry, but that just sounds real bad....

tip

hi! if your not sure the box you are trying to root was patched, just use the new nmap version detection system! :P

facts from fiction: its not even clear if its...

... exploitable

http://lists.suse.com/archive/suse-security/2003-S ep/0127.html

get your things straighten out first, befor posting bullocks and fud out on such a huge site as slashdot, where all them morons dont think for themselves and are about to start a panic in the sight of a supposedly ssh exploit...

jeeezuz, the nerds and morons used to have way higher IQs in the past than today....

Mirror for mailing lists

[Doodhwala]

... can be found here http://archives.neohapsis.com/archives/fulldisclos ure/2003-q3/

Re:Mirror for mailing lists

or here

http://lists.virus.org/full-disclosure-0309/

Well.. looks like someone goofed

[Dysan2k]

'least it's already fixed in the newest version. Considering this is the first incident I've seen since SSHv1, that's saying something. If M$ were doing this well, I'd be using it with FAR less cussing.

Oh, the day we finally have a full, well-rounded DirectX-type lib for Linux/Mac/Win32 will be a great day indeed. Then I can totally blow 2k off my box and just be happy and stable. SDL is nice, but I've heard FAR too many poeple complain about it.

Well, let's get SSHd fixes out and move on.

Re:Crazy slashbot

Microsoft holes demonstrate the inferiority of closed-source commercial software.

Open source software holes demonstrate the ability of the community to provide superior service by patching holes quicker than Microsoft does.

Now do you understand?

like suffering of thers? (Re:deceit)

Do you take pleasure in others' suffering?

OpenBSD has one of the best track records out there. Seems to be that they're held to a different standard than other OSes/distributions (which in a way can be considered a compliment).

Yes, Theo is a bit over the top at times, but you have to admit he does a certain right to, given OpenBSD's track record.

Re:like suffering of thers? (Re:deceit)

Yes, but the question was; Is it deserved? Or it is "Common Knowledge" which means nothing?

OpenBSD is used SO LITTLE that it mainly stays under the radar. Little exploits come and go and no one notices.

Anyone that claims their software is "secure" just hasn't had their software looked at hard wnough.

Re:like suffering of thers? (Re:deceit)

[rifter]

Yes, but the question was; Is it deserved? Or it is "Common Knowledge" which means nothing?

OpenBSD is used SO LITTLE that it mainly stays under the radar. Little exploits come and go and no one notices.

Anyone that claims their software is "secure" just hasn't had their software looked at hard wnough.

Prehaps. But consider the act that security is their greatest feature, and out-of-the-box security is a design goal from the beginning. IMHO this shoudl be the case with all software, no matter how trivial. But the simple fact is that it is not. In fact, bad coding techniques are taught in universities and reinforced on the job. I can't name a single other product that is given the kind of security auditing OpenBSD undergoes. Can you?

This is dangerous, go upgrade.

[andreas]

I've look at the code, and can confirm that there is a heap overrun bug there. How to exploit it is a little unclear, but rumors are that an exploit exists. If you want to see for yourself, follow what happens in buffer_append_space(), when fatal() is called, and then packet_free() due to that.

Personally, I have upgraded all my systems to lsh. The code looks much more trustworthy, and I'm sick of upgrading every few months.

Re:This is dangerous, go upgrade.

[realdpk]

That doesn't sound like a very good idea:

ftp://ftp.lysator.liu.se/pub/security/lsh/README

lsh is far from finished; don't expect these snapshots to compile or work, and even if they appear to work, beware that lsh currently does *NOT* provide any security at all.

but I could be wrong.

Re:This is dangerous, go upgrade.

[andreas]

Yes, that might be what the README says, but the quality of code I've looked at speaks another language. I trust Niels Moller more than I trust Theo de Raadt. Besides, SPKI is a good idea too.

Of course, I'd feel even better if it was entirely written in a language not equal to C. But Niels goes great lengths to avoid many of the C problems, and other than OpenSSH started with clean code from scratch.

Re:This is dangerous, go upgrade.

[andreas]

I've just looked, that README is from 1998! A lot has happened since then, and the up-to-date documentation, as well as the README that comes with the source, don't have a warning anymore.

So, don't let five year old documentation scare you.

Re:This is dangerous, go upgrade.

[realdpk]

Heh, I'll read whatever documentation is available to advise me on what software I should and shouldn't use. Given that most security problems are with people rather than software, I don't think it's unreasonable to expect documentation to be kept in sync with software.

I know this isn't a man page or anything, but it's also not confidence-inspiring.

Re:This is dangerous, go upgrade.

[andreas]

The official documentation is here. It's well up-to-date and in sync with the software. So is the README in the tarball.

So the existence of an old README on the FTP server might be an oversight, but is no indication of missing or wrong documentation.

And I find the performance of OpenSSH much more worrysome.

Re:This is dangerous, go upgrade.

[JoeBuck]

You have done something stupid. You've installed a broken, inferior implementation of ssh (namely lsh), rather than installing OpenSSH 3.7. Given the lack of maturity of lsh, there is no particular reason to expect that it doesn't have security holes. And the only reason people know about the heap overrun bug is because the OpenSSH team released a fix.

lsh is not an "upgrade".

Re:This is dangerous, go upgrade.

[andreas]

Do you have *any* indication that lsh is broken or inferior, other than a five year old README?

I have taken a look at the source. I like the approach of the author a lot, the code looks solid, the version number is well above 1.0. It's not immature software.

I cannot stress enough that lsh is re-written from the grounds up, using a single buffer handling API everywhere. If you *have* to use C, this is the way to go. Also, it does garbage collection, avoiding all double free bugs.

Besides, we know about the bug because people have observed exploits happening in the wild. The release of the fix was just a reaction.

That's about the third time that OpenSSH has a critical bug, leaving *all* my machines vulnerable. It can't be worse with lsh, and I actually believe it to be much better.

lsh definitely is an alternative these days.

Re:This is dangerous, go upgrade.

[jkc120]

An exploit _does_ exist, as people have stated already that they've successfully exploited OpenBSD machines.

I personally would like to find it to make sure my patch'd buffer.c in the debian/unstable package worked, until such time that they get that into unstable/testing.

troll

[dodell]

How did this get modded up? What 'more suitable language'-based operating system do you use?

On suspiciois patch

[velco]

Some people pointed at this

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto /o penssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h

though I cannot see how it can be a vulnerability.

~velco

Re:On suspiciois patch

buffer is inconsistent with regard to the length (alloc) when calling fatal(). fatal() calls cleanup handlers which then free buffers, at least one of them might be inconsistent.

Re:On suspiciois patch

[johnnyb]

In the problematic code, the buffer structure contained the incorrect size for the allocated space. Since this structure is not freed, I assume it's used for something later (unless fatal() simply logs the error and calls exit()). Therefore, in future accesses, this buffer will contain the incorrect size of it's contents. This lead to a buffer overrun.

In the new code, the new buffer size is calculated in a separate variable, which is not assigned to the buffer structure until _after_ it is confirmed valid.

Re:On suspiciois patch

[velco]

Thanks, I can see that much. I can also see the buffer overrun in ``buffer_free()''. What I can't see is the *exploit*, resulting from overwriting the heap with zeroes. ~velco

OpenSSH is big and fat

[yanestra]

OpenSSH has grown fat over the years, while more and more functionality was integrated, but existing features were kept - for compatibility reasons, and for convenience.
Now we have a big and fat tool that can do nearly everything, but you can go out for bug hunting; there are probably many of them in there.
It would have been a better idea to do a small diet and dis-integrate functions into different tools - like the classic *nix philosophy would suggest.

Re:OpenSSH is big and fat

[vesamies]

More importantly, services like ssh should be implemented in Java or some other language in which errors in "buffer management" don't happen so often.

Re:OpenSSH is big and fat

[Tuck]

A significant number of changes in 3.7 are removals (Kerberos 4, Kerberos5 in SSH1, AFS, Rhosts auth). Most people agree that simplicity is a wonderful goal... until that means the dropping (or not including) the feature they need or want. Then simplicity versus functionality versus security becomes a balancing act.

To put the size comment in perspective (this is 3.7p1 on Linux/x86):
$ du -ks /usr/local/sbin/sshd /usr/local/bin/ssh
272 /usr/local/sbin/sshd
224 /usr/local/bin/ssh

Re:OpenSSH is big and fat

[yanestra]

More importantly, services like ssh should be implemented in Java or some other language in which errors in "buffer management" don't happen so often.

Since ssh is a system administrator's tool, nobody would like to install a big bloaty jre (with its own bugs and its own desire to be updated in a regular way) before a system can be administered.
I mean, if you have a program which is too complicated to be debugged, it's not a good idea to add another program which is much too complicated to debugged, in the hope that both together will fix each other's bugs...

Re:OpenSSH is big and fat

[retro128]

Sounds like the BIND syndrome, doesn't it?

Re:OpenSSH is big and fat

[(void*)]

What you are demanding, is a formal proof that the system is invulnerable to buffer exploits. If you are asking for less, then it is a half-measure that accomplishes nothing.

Re:OpenSSH is big and fat

[maynard]

Most people agree that simplicity is a wonderful goal... until that means the dropping (or not including) the feature they need or want.M

Yeah, like me - who has over 200 desktop clients that need the AFS support. ARRRGH!! --M

Re:OpenSSH is big and fat

[arth1]

More importantly, services like ssh should be implemented in Java or some other language in which errors in "buffer management" don't happen so often.

You're trolling, right? In case you aren't, very few system administrators would want that. Java adds another layer (two, actually), with its own potential problems, and makes it even bigger and fatter, and a real nightmare to troubleshoot at low levels.
Making essential tools small, fast, elegant and toolbox-oriented is what eases system administration and reduces security problems.
Java doesn't fit into that in ANY way. It's great for user level programs that can be run in already managed environments, but must never be allowed to take part of the management itself.

Regards,
--
*Art

Re:OpenSSH is big and fat

[Etcetera]

More importantly, services like ssh should be implemented in Java or some other language in which errors in "buffer management" don't happen so often.

How about re-implimenting it in Perl, which doesn't generally have problems like this (from the code perspective -- but Perl itself is well-tested).

Hmm... *checks CPAN*...

Re:OpenSSH is big and fat

[I_redwolf]

No, BIND was just a piece of shit from the start.

First Rule Of Secure Operating System

[defile]

Ensure that your benevolent dictator's ego isn't writing checks that you can't cash.

Theo's "Pride"

[perry]

This has little to do with Theo's "pride". If there are exploitable bugs in OpenSSH, they have to be found and fixed, and "pride" has nothing to do with it. I'm sure people would search for bugs in a program as critical as ssh whether or not Theo had any involvement.

What I am most upset about is that Theo has not seen fit to send out any sort of official announcement to the various operating system vendor security teams -- or to anyone else -- even though an apparently simple patch is available and could be distributed.

Re:Theo's "Pride"

[twistedcubic]

What I am most upset about is that Theo has not seen fit to send out any sort of official announcement to the various operating system vendor security teams -- or to anyone else

This isn't true.

Re:Theo's "Pride"

[perry]

I'm on a couple of the lists that should have been informed. As one example, NetBSD's security officer has received no information from the openssh team at all. I'm unaware of other groups having received official word.

If you are aware of a security team that was informed officially, I'd be interested to hear about it.

Re:Theo's "Pride"

[Dr.+Photo]

I'm on a couple of the lists that should have been informed. As one example, NetBSD's security officer has received no information from the openssh team at all. I'm unaware of other groups having received official word.

In your netbsd prompt type ssh -V. It's probably using ssh 3.4, not 3.6, assuming you're using the core system's ssh (Not the pkgsrc one). You should be unaffected by this hole.

For Gentoo

[jehreg]

Just go to your net-misc/openssh directory:

• cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
• emerge --update openssh

The emerge will fetch the file and complain that there is no digest.

• ebuild openssh-3.7_p1.ebuild digest
• emerge --update openssh

Just tested it here, worked fine.
Pat

Re:For Gentoo

[Spunk]

Doesn't that just use 3.6.1_p2 and pretend it's 3.7_p1? That wouldn't solve the security problem.

I'm new to Gentoo, so I could be missing something.

Re:For Gentoo

[Synn]

No it does not just pretend.

It renames the gentoo ebuild, which uses it's own name to figure out what to fetch and install.

So basically a 3.7_p1 named ebuild goes out and fetches the new 3.7 openssh package, compiles it and installs it.

Re:For Gentoo

If you want to get slick and not step on your portage tree, you can use the PORTDIR_OVERLAY directive in your /etc/make.conf and put your file in /usr/local/portage/net-misc/openssh

The original post works just fine as well.

Re:For Gentoo

[drinkypoo]

I just (1042 hours PST) did an emerge sync and there is an ebuild for openssh-3.7_p1. When I did an emerge -up openssh it said it would build nothing, so it's not masked as something to build right now I guess, but of course you can ebuild merge it, or emerge it, manually.

Re:For Gentoo

[Edward+Faulkner]

It appears that 3.7p1 is now in portage, so you can just emerge sync; emerge -u openssh

Re:For Gentoo

[jehreg]

Well, sure, 3 hours later....

What was I supposed to do during those 3 hours? Wait? :-)
Pat

Re:For Gentoo

The guy is just posting an entirely valid comment about how to apply this patch on Gentoo, and then someone fires off his attempt-to-+5-beating-the-dead-horse and actually gets mod'ed up?

I think I have a good sense of humor, but this is just ridiculous, maybe I would have found it funny (despite the fact I have read this thing a million times) if the parent poster showed just a bit of zealotry, but this is just sad.

Re:For Gentoo

It's in portage already as of 1pm, so you just need to emerge sync and emerge -U openssh.

Re:For Gentoo

[antiMStroll]

The update is in the Portage tree so if you 'emerge sync' beforehand these steps might not be neccessary. The servers are probably taking a hammering right now though, so for really critical systems it's an option. Shouldn't sshd be restarted too (from the shell prompt: /etc/init.d/sshd restart)?

Within minutes of seeing this story on the front page my home server was patched, pretty amazing when you consider the support system is a coalition of anonymous volunteers.

Re:For Gentoo

[arkane1234]

It's obvious this guy hasn't used Gentoo, so let's make fun of him :)

If he had, he'd know that half of the crap he posted is untrue. The other half is just crap people bring up to try to make Gentoo sound bad when it's usually user error.

Re:For Gentoo

[arkane1234]

The EBUILD name is taken as the argument for the actual tarball it's downloading.
It's not pretending.

Re:For Gentoo

[arkane1234]

Yeah, pretty much any services that are changed in Gentoo need to be manually restarted.

Re:For Gentoo

[Spunk]

That's very interesting, thank you.

Sadly, I failed at the compile stage. (I've been having various problems)

Re:For Gentoo

[Dalcius]

I'm sure someone beat me to it, but as of midnight CST, Wed morning, a new ebuild was in the portage tree.

I did an emerge sync; emerge world -u --deep;/etc/init.d/net.eth0 restart and in about a minute (on a semi-modest box) I was good to go. ccache is amazing. :D

Re:For Gentoo

[Handyman]

"I'm too stupid to understand that circular dependencies can be resolved by specifying BOTH .rpms together on the command line, and that problems hardly ever occur if one uses proper Red Hat packages instead of mixing SuSE, Mandrake and Joe's Linux packages together (which the system wasn't designed for)."

OK, but I don't think that's the dependency hell people usually talk about. The trouble with distros that don't use some APT-like tool is that you can't install certain RPMs unless you manually install all RPMs in the transitive closure of the requires-relationship starting at the RPM you want to install. Also, you must then manually upgrade any packages that don't work with the new version of whatever you're installing (and recursively so until everything checks out again). Yes, there is apt-rpm. But that isn't installed by default AFAIK, and without it Red Hat users are stuck in the tar pits of dependency hell.

OpenSSH 3.7 Release Announcement

[Tuck]

Rather than subject someone's server (like mine!) to a slashdotting, here's the full text of the announcement (slightly mangled to sneak past the lameness filter).

Subject: OpenSSH 3.7 released
Date: Tue, 16 Sep 2003 14:07:00 +0200
From: Markus Friedl
To: openssh-unix-dev _at_ mindrot.org

OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.

We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18

For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Security Changes:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.

OpenSSH 3.7 fixes this bug.

Changes since OpenSSH 3.6.1:

* The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.

* Rhosts authentication has been removed in ssh(1) and sshd(8).

* Changes in Kerberos support:

- KerberosV password support now uses a file cache instead of a memory cache.

- KerberosIV and AFS support has been removed.

- KerberosV support has been removed from SSH protocol 1.

- KerberosV password authentication support remains for SSH protocols 1 and 2.

- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.

* Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:

1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file

This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.

* SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).

* Removed implementation barriers to operation of SSH over SCTP.

* sftp(1) client can now transfer files with quote characters in their filenames.

* Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.

* Fix a number of memory leaks.

* Support for sending tty BREAK over SSH protocol 2.

* Workaround for other vendor bugs in KEX guess handling.

* Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).

* Automatic re-keying based on amount of data sent over connection.

* New AddressFamily option on client to select protocol to use (IPv4 or IPv6).

* Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.

* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.

* Portable OpenSSH:

- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.

- PAM support may now be enabled/disabled at runtime using the UsePAM directive.

- Many improvements to the OpenSC smartcard support.

- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in t

Re:OpenSSH 3.7 Release Announcement

[higuita]

its just me or there isnt any reference to a big remote security hole being fixed?!

a thing like that should be the first of the list, not hidding inside (maybe) the "Fix a number of memory leaks."

Re:OpenSSH 3.7 Release Announcement

[higuita]

nope, its really just me needing to change lenses 8)

its really the first of the list, but i only checked the "changes since..."

Right...

[guinsu]

As opposed to the lengths people will go to to damage Microsoft? But that's ok, right?

Re:Right...

[festers]

You're comparing Theo to Microsoft?!? Jeeze, he already has a big enough ego, it doesn't need to be fed anymore. ;)

Re:Right...

[nicomachus]

Please read the security advisory itself: this is a bug for which no exploit is yet known and for which, quite possibly, no exploit is possible. From the SA: It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. So, no exploit now, perhaps none even possible.

Does anyone out there claim actually to have a working exploit?

Re:Right...

[White+Roses]

Damage Microsoft? Not even the federal government is able to damage Microsoft.

Re:Right...

Yep... your point?

Re:Right...

its a hellva lot easier to give a browser mangled GET requests than to do that you have to do to exploit the bug

Start with a port scan

[KalvinB]

See what ports are open and then research them to see what they are and if they need to be closed and if so, how to close them. You don't need to worry about SSH exploits if it's not running.

Ben

OpenSSH Security Advisory

[next_permutation]

An OpenSSH Security Advisory was just posted about this.

Pot = Kettle = Black

[gregarican]

Recalling recent security flaws ranging from malicious sendmail source code insertion to FSF FTP server root compromise I now read about OpenSSH holes.

Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.

Re:Pot = Kettle = Black

[The+Ape+With+No+Name]

Well, anti-M$ rants tend to be about their shitty OS. OpenSSH is one program among many and is not an OS. Your analogy is a bit faulty.

Notice the patch is there instantly and easily available (even for Newbies) unlike Windows patches which are announced and not integrated into their updating service until you are already fucked.

Re:Pot = Kettle = Black

Riiight... Suuure lisa.

Are you somehow saying there is no open bugs on any linux project at this point?

Most of the worms you see going hay wire on Ms machines have patches to avoid them that have been out for months. MONTHS.

shut up

Re:Pot = Kettle = Black

[drunk_as_in_beer]

Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.

Fair enough, but this goes for any OS: no ports should be open by default!!!

Re:Pot = Kettle = Black

[gregarican]

Exactly. The Blaster worm was "in the wild" in August, but the patch had been available since July. I can't think of any M$ vulnerabilities that have hit without there being an accompanying patch.

I am not touching myself while looking at a Bill Gates 8x10 glossy either. But I am realistic. M$ does have its scores of buffer overruns, developmental shortcomings, its corporate arrogance, and its anticompetitive practices. I'm just trying to put things into perspective since every time there's a M$ flaw announced there are countless Linux folks crowing about how that Linux is so bulletproof.

Not performing boundary checking when writing code is flat out bad code writing. Any student C programmer could tell you that.

Re:Pot = Kettle = Black

[johnnyb]

None of the rants assumed it couldn't happen.

The nature of _my_ rants at least, include the following:

* UNIX does better at risk minimization (i.e. - chroot jails, more services running as unprivileged users, using processes rather than threads, etc)

* UNIX vulnerabilities are published quickly, and hotfixes are available quickly. In this case, we have a _potential_ vulnerability patched before anyone knows of any way to exploit it. In addition, it made frontpage Slashdot - everyone agrees it's a big deal. This is different from the MS attitude of "sweep it into the next service pack and noone will know".

* I have the source code to the patches, so I can validate whether or not the fix does indeed fix the problem it proposes to, and whether there will be any other impact caused by the patch.

* The patch doesn't require me to reboot anything - I can patch a running system and keep on trucking. Kernel patches should be the only thing that needs a reboot (and, when HURD gets mainstream, we won't even need to then).

* The source code is open to allow more scrutiny. Having the source code available still gives Linux users fewer security-incidents-per-feature than Microsoft while keeping their source closed. Ballmer, I believe, said under oath that giving out the source code to Windows publicly would be a threat to national security.

Nothing about the release of an exploit for Linux changes any of these issues.

Re:Pot = Kettle = Black

[Bull999999]

Who says you have to run sendmail on *NIX? qmail works fine for me and there are other alternatives.

Re:Pot = Kettle = Black

[wintermute740]

No, no, no. The kettle is *grey*, or even gray, if you prefer! No one has said that open source is 100% secure. It's just more likely that there will be more timely patches, since the code is out in the open. No code is 100% secure if it's anything beyond trivial. And the blame is not the OS. It's the people who don't apply patches, whether they run Mac, Linux, BSDi, or MS is irrelevant.

Re:Pot = Kettle = Black

[gregarican]

Uhhhh, I don't know. Who did say that? I was just pointing out some core apps that have been around for awhile. I would think that sendmail and ssh are relatively common, widespread apps that are out there.

That's like a Microsoft Outlook Express vulnerability being announced. Choosing to use a different mail reader app would obviously negate any potential pitfalls.

Re:Pot = Kettle = Black

[Bull999999]

I think that some people chose to bash Windows while others bash Microsoft as whole. For example, slammer is not a Windows vulnerability but it is a Microsoft product vulnerability. So while it is not fair to bash Windows for slammer, it is fair to bash Microsoft for slammer (esp. for their patch that negated the earlier patch). I guess it is all about how you word it.

Re:Pot = Kettle = Black

[ReelOddeeo]

Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.

The MS rants are well deserved.

While your statement about security bugs can happen on any platform is technically correct, unintended bugs are not the only thing that causes security problems. Both MS and *NIX can have unintentional bugs, which lead to security problems. In this case, MS should not be blamed for "insecure" code.

Where the MS rants are well deserved is when a system is insecure by design. It may not have been a design goal, but the design can still be insecure. Just one past example: IIS runs under the SYSTEM account. It is installed by default and turned on by default. These kinds of problems deserve to be ranted about, and MS deserves the resulting reputation. Apache may or may not be installed and/or turned on by default, depending on distribution, but even if it could be compromised, it runs as "nobody" or "wwwrun" or some other unprivileged account.

Re:Pot = Kettle = Black

[gregarican]

Agreed. Accidental coding flaws are one thing and poor design is indeed another. Running unnecessary services by default is an issue. And running these services with root (or administrator as the case may be) rights is a huge issue.

I recall back when IIS 4.0 first came out. You could just Google part of the default IIS home page in quotes as the search string. You'd get results pages with hundreds of new IIS boxes on the 'Net likely with nothing locked down.

I think that the design portion of M$ software is starting to get there (note that Windoze 2003 Server is at least a little more locked down by default). Of course the RPC flaws are still in the code, going from NT 4.0 all the way to include Win2K3.

I will admit that the *NIX platform and apps are inherently more secure since a lot of the code is open source, has lots of reviewing eyes, and patches come about quickly. But nevertheless it's not as secure as folks crow about.

Re:Pot = Kettle = Black

[Overly+Critical+Guy]

This is different from the MS attitude of "sweep it into the next service pack and noone will know".

Name a single example.

Heck, Blaster was patched months before.

Re:Pot = Kettle = Black

and, when HURD gets mainstream,

I understand HURD will be the first platform for Duke Nukem Forever.

Re:Pot = Kettle = Black

[johnnyb]

http://support.microsoft.com/default.aspx?scid=kb; en-us;328940

This was fixed in WinXP SP1. However, Microsoft didn't release information about the fix until a month afterwards after pressure from Steve Gibson. They fixed the problem, but swept it into a service pack and didn't identify the exposure. It is listed in the SP1a list, but it is dated past the SP1 date, even though that is when it was included.

Re:Pot = Kettle = Black

Ahhh, the quintessential open source FUD post. Let us dissasemble it.

Well, anti-M$ rants tend to be about their shitty OS.

Au contraire mon. "Shitty" as in somebody managed to break the NT security model? And then actually exploit it? Got a link to that? Or maybe you're referring to...

OpenSSH is one program among many and is not an OS.

... IIS? Outlook? Outlook Express? RPC?

Your analogy is a bit faulty.

Give the man a cee-gar!

Notice the patch is there instantly and easily available (even for Newbies) unlike Windows patches which are announced and not integrated into their updating service until you are already fucked.

Well, let me see. Nimda? Patch available several weeks in advance, and on Windows Update. CodeRed? Ditto. Blaster? Yep. Slammer? Affirmative.

Unlike this particular one where the patch is made public along with several sysadmins who had been already 0wned. We hear about it on Slashbork once the thing is in the wild. I heard about the RPC hole about the same time Microsoft disclosed it, which, again, was about a month before the exploit made it to the wild.

Hey, perhaps Slashbork should pay more attention to the "unbreakable" and "completely secure" OS it eulogizes so much! A section with RMS in borg attire would be apropos, here, hmmm?

Now, do you feel stupid? Or more stupid? I'll stop now.

Re:Pot = Kettle = Black

IIS has not run under LocalSystem for years. IIS, since around IIS 3.0, defaulted to creating an unprivileged account, IUSR_xxx (where xxx = your machine name, typically), and running the actual web process under that account.

You CAN reconfigure IIS to run as LocalSystem... but why would you ever want to?

Re:Pot = Kettle = Black

Ahhh, the quintessential microsoft FUD post. Let us dissasemble it.

>Au contraire mon. "Shitty" as in somebody managed to break the NT security model? And then actually exploit it? Got a link to that?

mon ami, remember the WM_TIMER bug that MS denied until patching in something like xp sp1? exploitable on out-of-the-box installs? also, one of their arguments for not going full-shared-source was that it would reveal the security problems of the messaging system. go figure ... and don't talk too high of the NT security model - even w2k, secure and all, can be dos by BSoD - it's just harder than on w9x.

>... IIS? Outlook? Outlook Express? RPC? ... and you blew it in the end! rpc IS part of the OS, as is com/dcom/dcom+. so, come again about how secure nt is?

>Well, let me see. Nimda? Patch available several weeks in advance, and on Windows Update. CodeRed? Ditto. Blaster? Yep. Slammer? Affirmative.

ok, leaving aside the issue of users not patching simply because d-loading tens of megs of patches from ms every other day is expensive to some ... even ms admitted that for slammer the sql patch was a really convoluted issue that went wrong more often than not. remember, those were production machines, you can't afford to screw them up with crappy patches. and blaster? ever heard of this specific patch actually failing to install although reporting itself as completed? gee ...

>I heard about the RPC hole about the same time Microsoft disclosed it, which, again, was about a month before the exploit made it to the wild.

here, have a cigar ... better yet the whole pack :D smoke it, relax and remember that in your pretty little ms world all there is is all you hear from ms. they say no security issue? you're safe. they say no exploit? why worry then? smile and paint the world pink. at least we know that if you ever found a hole you'd release the most obvious type of exploit so that ms stands no chance of not noticing ... and you'll definitely target dumb users, servers and big companies are for lamers.

>Now, do you feel stupid? Or more stupid? I'll stop now.

I rest my case.

Re:Pot = Kettle = Black

mon ami, remember the WM_TIMER

HAHAH! Check your history and what it took to actually exploit that.

and don't talk too high of the NT security model

Show me a link with proof that it was broken, kthx. Blue screen? WTF does that have to do with anything?

ok, leaving aside the issue of users not patching simply because

That's nice, but your perceptions are just that, perceptions. I've never had a patch go belly up on me. And if you're a user without broadband what does it matter what OS you're running? Like that's a valid argument? Do you use RedHat? Have you measured how many megabytes per advisory per month you'd have to download to keep current? How many vulnerabilities in the 3000+ packages tracked by Debian in the past six months again? How many MB was that?

and you blew it in the end! rpc IS part of the OS, as is com/dcom/dcom+.

It's painfully obvious you don't understand how Windows works, so you should have stopped there. RPC is just a service. You can shut it down. If you need it and it has a hole, you patch it. Or you use a firewall. Just like... ssh. Or anything else. And WTF is "DCOM+"?

that in your pretty little ms world

Yeah, it's all a conspiracy by the "evil M$". But anyway, show me the advisory on this hole/exploit dated one month ago. In my "pretty little world" that's when we get 'em. Thanks!

Re:Pot = Kettle = Black

when HURD gets mainstream, we won't even need to then

Nitpick, but you do realize that Hurd development is going nowhere? IIRC they have trouble just getting enough core developers. There's little Hurd can do in practice that can't be achieved (or has already been achieved) by incremental changes to Linux. I don't see a mass movement to Hurd, ever.

Coincidence, Or...

[4of12]

So I hear about this ssh exploit the exact same day that my inbox has Markus Friedl's announcement of the release of OpenSSH 3.7.

Either someone on the ssh team is making money from new releases or some black hat, upon downloading 3.7 and seeing the exploit fixed, decided to strike while the iron was still hot (machines weren't yet upgraded).

Re:Coincidence, Or...

[s.d.]

Why the conspiracy theory? Why isn't it possible that the bug had been identified, the developers decided it was enough of a reason to push a new release, and when the new release is pushed, with the reason being b/c of a bug that may or may not be exploitable. Then unsubstantiated rumors of exploits start floating around b/c of this.

There isn't a grand conspiracy. It's just how people work. I person says something like, "So I heared that there is the possibility of an exploit due to a bug in OpenSSH they found." Someone overhears and turns around and tells the next person they see, "There's a hole in ssh that's exploitable!" and it takes off from there.

Re:Coincidence, Or...

[s.d.]

wow. i'd like to apologize for my spelling and grammar. that was pretty atrocious. way too little sleep lately. :)

Re:Coincidence, Or...

If it were Microsoft, the tinfoil brigade would be in full force and you wouldn't be protesting.

Obligatory programming joke

[worst_name_ever]

The lengths some people will goto

Remember to use long jumps if you want to goto more than 255 bytes of pride-damaging.

Re:Obligatory programming joke

ehum, isnt it 127+1?

Mirror of the vulnerability description

[Oestergaard]

To be found at:
http://unthought.net/ssh-vuln.html

Re:Mirror of the vulnerability description

[p3d0]

I don't see the bug. Does anyone understand what the problem is in this code? Is it some kind of race condition?

Whatever it is, I can certainly see why it was missed.

Re:Mirror of the vulnerability description

[coyul]

The bug must center around this line:

/* Increase the size of the buffer and retry. */
buffer->alloc += len + 32768;

It looks like the problem here is that buffer->alloc (which presumably stores the size of the buffer) grows on every try, while the actual size of the buffer grows only on successful tries. So you could have a situation where, after a couple of tries, the buffer is 65536, but buffer->alloc is 98304. This could potentially cause another part of the program to run past the actual end of the buffer.

The patch addresses this by only updating buffer->alloc after the new memory has been successfully allocated.

Re:Mirror of the vulnerability description

[defile]

This could potentially cause another part of the program to run past the actual end of the buffer.

But if the allocation fails, even though it has recorded an incorrect buffer size, the program immediately calls fatal().

How is this exploitable? Does the program somehow magically use the buffer in the background between the time that it's determined the allocation has failed and it has called exit?

Is fatal misnamed? Does it keep doing more stuff even though something really bad just happened? That would be really stupid

I suspect OpenSSH developers are freaking out, have no proof that the exploit even exists, and are just pushing all of the planned bugfixes off their desks just in case.

Re:Mirror of the vulnerability description

[Eddie+the+Jedi]

Is fatal misnamed? Does it keep doing more stuff even though something really bad just happened? That would be really stupid

It kind of does. Seems that fatal() calls fatal_cleanup() [cf fatal.c], which runs thru a list of callback procedures before exiting. Somewhere in those callbacks the function buffer_free() [cf buffer.c] might be called on the offending buffer. That function does a memset(buffer->buf, 0, buffer->alloc), and there's your overrun.

QED.

Re:Mirror of the vulnerability description

[jonabbey]

But surely a memset(buffer->buf, 0, buffer->alloc) is at most a DOS? Hard to imagine a penetration exploit that would result from overrunning a buffer with zero bytes.

Re:Mirror of the vulnerability description

[Tony-A]

How is this exploitable? Probably isn't.
I suspect OpenSSH developers are freaking out, have no proof that the exploit even exists Probably.

Don't worry, it will all settle quickly, with the hole, if it was a hole, firmly eradicated. If you were wondering why Linux worms/viruses/whatever never seem to accomplish much of anything, the above is why. You almost feel sorry for the bugs.

Re:Mirror of the vulnerability description

[njchick]

Oh well. Use of untrusted data before validating it. That's something perl -T (tainted check) could catch. If OpenSSH was written in Perl, of course.

I wonder if tained checks can be implemented in C. Perhaps using Valgrind or something like that.

Re:Mirror of the vulnerability description

[defile]

It kind of does. Seems that fatal() calls fatal_cleanup() [cf fatal.c], which runs thru a list of callback procedures before exiting. Somewhere in those callbacks the function buffer_free() [cf buffer.c] might be called on the offending buffer. That function does a memset(buffer->buf, 0, buffer->alloc), and there's your overrun.

That seems harmless (it would be really hard to do useful damage by overflowing a buffer with zeroes), but it's also pointless. _exit() will free all of that memory. Why are they bothering with proper cleanup? This is FATAL CONDITION! ABANDON SHIP!

Someone's fired -- even though this probably isn't the source of the exploit.

Re:Mirror of the vulnerability description

[pmz]

This could potentially cause another part of the program to run past the actual end of the buffer.

So, is this even a vulnerability on systems that have stack executable protections (e.g., recent OpenBSD & Solaris on UltraSPARC, et. al.)?

For example, I put a line "set noexec_user_stack=1" into Solaris' /etc/system file (this is from memory, so YMMV).

Re:Mirror of the vulnerability description

[andreas]

Yes, because it's a heap overflow, not a stack overflow.

Re:Mirror of the vulnerability description

[pmz]

Yes, because it's a heap overflow, not a stack overflow.

Does this mean that heap execute protection is easier said than done?

Re:Mirror of the vulnerability description

[Aardpig]

Why are they bothering with proper cleanup? This is FATAL CONDITION! ABANDON SHIP!

Only guessing, but how about to ensure that the freed memory isn't handed over to a subsequently-run app, still stuffed full of cryptographically-sensitive information?

Re:Mirror of the vulnerability description

[andreas]

Yes, because you need to have a writable and executable heap area for shared library linking. You could protect a part of the heap, though, and for instance allocate all user-provided strings in a non-executable heap.

But kiss good-bye to JIT compilers when you do it.

And still it would be imaginable to write an exploit for such a system. Clever manipulation of pointers can go a long way.

Re:Mirror of the vulnerability description

[Chris+Burke]

If you were wondering why Linux worms/viruses/whatever never seem to accomplish much of anything, the above is why. You almost feel sorry for the bugs.

I never feel sorry for bugs. The only good thing about bugs is the merciless crushing of them. Unless they amuse me. Like the one that doesn't crash the program, but turns everything psychedelic colors. That one might get to stay, and become an easter egg or something.

I was faintly hoping that this would result in the bugs evolving to become more amusing and less harmful over time. Eventually all my programs would be crash-free and full of cool and neat features, without having to change or improve my coding style at all! Evolutionary time scales being what they are, results are still out on whether this holds true in practice.

For the sake of being somewhat on topic*, obviously I wouldn't do this if I was an ssh developer. :)

*There's a bug, and a patch to go with. Not much else to say. Being a Debian user I've already done the apt thing and patched.

Re:Mirror of the vulnerability description

The only good thing about bugs is the merciless crushing of them. Unless they amuse me. Like the one that doesn't crash the program, but turns everything psychedelic colors.

That isn't a bug, it is a drug

Re:Mirror of the vulnerability description

[srn_test]

This is the job of the kernel. Memory should be cleared out when given to a new process.

Re:very early - MOD PARENT FUNNY

[pVoid]

Man you made my day.

Well, ok. You made my coffee break...

There is a debian patch up

I just did and "apt-get update" and "apt-get upgrade", and the new patch is there and it appears to at least not fubar the system. Hooray for easy administration! Hooray for distributed fixing! Hooray for debian!

Updating for Gentoo

[Synn]

If you don't want to wait for the official ebuild:

cd /usr/portage/net-misc/openssh/
cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
emerge -f openssh-3.7_p1.ebuild
ebuild openssh-3.7_p1.ebuild digest
emerge openssh-3.7_p1.ebuild

Re:Updating for Gentoo

[brandonY]

I don'nt know how long it's been there, but openssh 3.7_p1 is already up. Just emerge sync ; emerge -u openssh. Yay Gentoo!

Re:Updating for Gentoo

[Aardpig]

If you don't want to wait for the official ebuild:

cd /usr/portage/net-misc/openssh/
cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
emerge -f openssh-3.7_p1.ebuild
ebuild openssh-3.7_p1.ebuild digest
emerge openssh-3.7_p1.ebuild

This will fail if you have kerberos support USE'd, with an error involving gssapi.h not being found. The solution? Replace the final line with this:

USE="-kerberos" emerge openssh-3.7_p1.ebuild

Re:Updating for Gentoo

Why post this? I mean it's great that it's that simple... but let people take care of their systems. For RedHat up2date -fui and done. If it were windows that was affected jump over to windowsupdate.microsoft.com click the update and download/install.... every operating system is getting this easy to patch cause you gotta patch every damn operating system every damn day.

On Debian systems its probably about as simple; I imagine FreeBSD has their way, and Solaris will do a patch; in no case is it so terribly difficult, that any of us need the 5 lines to do it on one linux distribution

And to top it of, it was probably a coordinated release by all vendors affected, because as you say it is available for Gentoo, and it was available for RedHat several hours ago as well so there goes the boating about how it was so readily available from Gentoo.

Re:Update for debian is 1:3.4p1-1.1

I just ran apt-get update myself and apparently 1:3.4p1-1.1 is the latest and includes this patch:

# apt-get update
# apt-get upgrade
# ssh -v
OpenSSH_3.4p1 Debian 1:3.4p1-1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f

It's "try TO", not "try AND", dammit!

You try TO do something, you don't try AND do something. Why do geeks get this wrong more often than they get it right? Live and learn, please!

And when /. news item contributors write like grade-school dropouts, the /. editors should try and [sic] edit their news items.

Re:It's "try TO", not "try AND", dammit!

[arkane1234]

Can you try to pull that stick out of your ass?

Thanks.
Anonymous Coward.

Re:It's "try TO", not "try AND", dammit!

It's "damn it", not "dammit"

Great opportunity.

[AxelTorvalds]

SSH has been one of the biggest weaknesses in security infrastructure the last few years..

I know there are a bunch of Ada hackers out there and people with other languages they are advocating and trying to protect, this seems like an ideal task to prove your prowess and the strength of your tool set by building a better SSH server and client. I'd love to see some network infrastructure servers done in Ada.

Re:Great opportunity.

[kakos]

It has? Really now. That's interesting. So, OpenBSD has SSH on by default and has had ONE remote exploit in seven years. Now, take ye olde random Linux and you will quickly notice that there were probably a couple of remote exploits just last month.

Yup. SSH is certainly a big weakness in security infrastructure. One exploitable hole is pretty damned good and certainly much better than almost any other software on the planet.

Re:Great opportunity.

[Minna+Kirai]

I'd love to see some network infrastructure servers done in Ada.

That's a good idea. Time for the Ada-zealots to "put up or shut up". Those guys never seem to put out much code... and of course they become rarer every day. If their language was really more secure, correct, and easy (yes, they claim that!), then an sshd reimplementation would be a fine demonstration to prove it.

Re:Great opportunity.

[shaldannon]

Having done Ada coding for class (can you believe the Comp Sci department at Auburn University thought Ada was better than Java?) I'll speak a little bit to the language. It's designed for security in safety for real time environments (e.g., cruise missiles, airplane navigation and radar systems, etc). It's also been lately abandoned by the DoD.

The idea is that it's supposed to provide operational security, but since Ada is translated to C and then compiled (that's what gnat does-- "GNU Ada Translator") I'm sure there are the usual compiled C code vulnerabilities.

Syntactically, it's like (was designed based on) Pascal, so you be the judge as to ease of learning. My assesment is that it is verbose and (being strongly typed) a pain to program in (then again, I'm a Perl guy first).

I don't recall what (if any) networking libraries exist for Ada, so I don't even know if the project is possible.

Fixed debian i386 package

[jogu]

wget from: http://security.debian.org/pool/updates/main/o/ope nssh/ssh_3.4p1-1.1_i386.deb then dpkg -i the resulting file.

enormous

[imscarr]

"The attack makes an enormous amount of ssh connections and attempts various offsets until it finds one that works permitting root login."

EVERYTHING COUNTS IN LARGE AMOUNTS!

Why all the lsh plugs?

[kakos]

It seems to me that a package that goes through code security audits regularly and is actually finished is infinitely more secure than an incomplete package?

Why are there people suggesting to go from a secure package to an insecure one?

Re:Why all the lsh plugs?

[Tom7]

Uh, because OpenSSH has a remote root exploit in it, despite code audits? Diversity is useful.

Re:Why all the lsh plugs?

OpenSSH has a BSD-license, LSH has a GNU-license.

It's must be a conspiracy by the GNU viral license advocates to wipe out "free"BSD licensed software!

Re:Why all the lsh plugs?

[arkane1234]

It seems to me that a package that goes through code security audits regularly and is actually finished is infinitely more secure than an incomplete package?

Why are there people suggesting to go from a secure package to an insecure one?

It's alot like the Indie music scene, actually. Whatever the mainstream doesn't use is suddenly the most 3l33t and coveted tool. Because obviously OpenSSH is tainted by the touch of the mainstream individuals and now suddenly lsh is far superior. They need something to feel superior for.

I myself use what works, and OpenSSH works. Mainstream or not, it's a damn fine tool, and I have no reason to migrate to another tool unless it provides me with advantages that supersede what OpenSSH can provide.

Re:Why all the lsh plugs?

[andreas]

Well, I need two things from my ssh implementation:

- encrypted and authenticated communication with other hosts
- security against network attacks.

OpenSSH provides only one of the two. It has repeatedly had security problems. You know, if it *has* to be C, you have to write in a certain style to prevent against buffer overflows. We have statistical evidence that the code is problematic.

That's got nothing to do with avoiding mainstream, but rather with careful selection of the software I use. I had excellent experiences with switching over from Bind to tinydns: when the Bind 9 bug hit the roads, I could sleep in.

So, I'm giving lsh a chance. I'll even do some more code review, to convince myself that it is ok, and what I see so far looks quite good. In fact, you rarely see such fine code. Of course it will need a couple of extra eyeballs to make really sure, but I have a lot of faith here.

Re:Why all the lsh plugs?

[capn_buzzcut]

"Whatever the mainstream doesn't use is suddenly the most 3l33t and coveted tool. Because obviously OpenSSH is tainted by the touch of the mainstream individuals and now suddenly lsh is far superior. They need something to feel superior for."

"I myself use what works, and OpenSSH works. Mainstream or not, it's a damn fine tool, and I have no reason to migrate to another tool unless it provides me with advantages that supersede what OpenSSH can provide."

Thank you sir, for a what is the simplest, most accurate characterization I've read, the first part of which I feel describes an unfortunately large proportion of OSS users. And I agree with your position - I use what works for ME without regard to the l33t factor, and quite frankly without the "MS sucks" attitude so many Linux users seem to have. I choose Linux and mostly stick with a distro's default tools because they get the job done, not because I need a penis extension.

Re:Why all the lsh plugs?

blah blah blah l33t factor blah blah blah "MS sucks" attitude blah blah blah get the job done blah blah blah I need a penis extension.

Wow, that was useless. Thanks for the uninformative subthread.

Re:Why all the lsh plugs?

[kumokasumi]

That's security through obscurity. Widespread diversity helps the ecosystem; it does not generally help the individuals.

Re:Why all the lsh plugs?

Yeah, really. Why is it that people feel the need to generalize like this? Especially when they provide no useful information!

Get a clue people - generalizing usually makes you look stupid!

Re:Why all the lsh plugs?

[Tom7]

That's security through obscurity. Widespread diversity helps the ecosystem; it does not generally help the individuals.

Some security through obscurity is still some security nonetheless. It's just not a good idea to trust in obscurity alone.

Being diverse does indeed help the individuals, and the analogy with "ecosystems" breaks down because computer security does not work the same way as random genetic mutations. Exploits are designed by people with finite resources, and they are less inclined to develop exploits for rare programs. A really diverse network will probably only see exploits at nodes where there's something really interesting and worthwhile to pillage, since it's simply not worth it to develop an exploit to compromise only a few machines.

That said, I still think the best way to get more secure systems is to stop trying to write them in C. (See the recent discussion on slashdot for my comments...)

Re:Why all the lsh plugs?

[erc]

If that's true, why hasn't the "l33t" crowd turned away from Perl and PHP in favor of Escapade and other, lesser-known, server-side scripting languages?

Lindows security - pet peeve

[dpilot]

If this is Lindows, you are probably not running sshd. Furthermore, you should not do so.

To do damage, you need two things. First, you need to get into the machine, and second, you need to elevate your privilege to root. So to get nasty, you either need an exploit for a service running as root, or you need a second exploit to become root. Especially in recent years, most daemons have tried very hard to avoid running as root, forcing the need to find two bugs instead of one.

Lindows runs the ordinary user as root. I don't know if they have a better policy for running daemons as non-root - I certainly hope so. But running ordinarily as root removes one line of defense against crackers.

Add to that the fact that Lindows is aimed at the inexperienced market, so these systems *may* be less likely to be correctly patched.

Trust me... View the srpm

[ChiefArcher]

I've released the SOURCE RPM...
you can always grab it and see for yourself..
I only changed buffer.c

Feel free to see for yourself..

I had to make all of these this morning to patch our systems..

ChiefArcher

Re:Trust me... View the srpm

[Pharmboy]

Hey, what is the file allyourbase.c doing in your source RPM? ;)

Solaris versions vulnerable?

Didn't solaris 9 ship with an openssh-based implementation? Has anybody seen traces of patches from Sun?

I looked around, but didn't see any indication, nor could I read the mailing list archives that were linked to in the story.

Re:Solaris versions vulnerable?

[Ubergrendle]

I too am interested in comments pertaining to Solairs. I am not an admin, but my ASP runs Solaris and I don't see any patches in the change records for OpenSSH for several months.

RPMs for anyone in .ac.uk domain

[Xugumad]

http://bowmore.dcs.st-andrews.ac.uk/rpms/ contains source and binary RPMs. The directory should not be accessible outside the .ac.uk domain, as I don't have the bandwidth to take a /.ing. Even if I've messed up the configuration, please do not try to download the RPMs. PLEASE

Also please note, these are barely tested. I patched, compiled, installed and ran the server/client, but haven't had time to do much more. People may want to wait until the official RedHat RPMs.

If someone wants to set up a mirror, post under here and I'll work something out.

Re:RPMs for anyone in .ac.uk domain

[Xugumad]

Just put an update online now, and expanded the availability to include the entire .uk domain.

Re:RPMs for anyone in .ac.uk domain

[Anders]

Even if I've messed up the configuration, please do not try to download the RPMs. PLEASE

This must be the worst mirror service I have ever seen.

Re:RPMs for anyone in .ac.uk domain

[Xugumad]

It wasn't a mirror, I made the RPMs myself. Actually, if I'd know RedHat would get around to it so quickly, I'd never have bothered.

Debian update

[irc.goatse.cx+troll]

wget http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.de b
dpkg -i ssh_3.6.1p2-6.0_i386.deb

Might only work on sid.

Re:key authentication vulnerable?

[keiferb]

The short answer is yes. If you're running anything previous to 3.7[p1], your version is affected.

It may not be -vulnerable- at this moment due to the you've got it configured (I don't know if this is the case or not, just an example).

Chew on this, though: do you really want to have to go through all of the old security advisories each time you make a config change to see if what you're doing could open you up to a really old vulnerability?

Patch now so it doesn't come back to bite you later! =)

intentions are noble and MIRROR now

[ChiefArcher]

you have an email address to...
and a resume www.briangannon.com
and the Source RPMS.

http://stradlin.com/ssh
if you do a diff on the sources, you will see I only edited buffer.c
my intentions are completely noble.
How can you really trust Redhat? One of the disgruntled developers could put a backdoor in a patch?

ChiefArcher

Re:intentions are noble and MIRROR now

[NateTech]

You know how it goes... I trust you, but my company can't. :-)

I keep hearing 'bout these disgruntled developers. I'm waiting to meet a gruntled one.

Re:intentions are noble and MIRROR now

i'm a grunting developer...

Re:intentions are noble and MIRROR now

[ninji]

If you dont trust redhat, then why use their OS?

Parent is Wrong

OpenBSD is exploitable too. So much for priv seperation and all the anti-exploit fun.

I fail to see....

[Damon+C.+Richardson]

"disseminated to the bad actors." I fail to see what Burt Reynolds has to do with it.

Re:I fail to see....

[jonadab]

> fail to see what Burt Reynolds has to do with it.

Nothing. He was talking about Jim Carey.

Re:I fail to see....

[eatdave13]

What the heck does Jim Carey and Burt Reynolds have to do with Kevin Bacon?

Obl. Monty Python

[kevinvee]

"He dips the pen...in the ink, and he's off! It's the first word, but it's not a word - oh, no! - it's a doodle. Way up on the top of the lefthand margin is a piece of meaningless scribble - and he's signed his name underneath it! Oh dear, what a disapointing start. But his off again - and here he goes - the first word of Thomas Hardy's new novel, at ten thirtyfive on this very lovely morning, it's three letters, it's the definite article, and it's "The". Dennis."

"Well, this is true to form, no surprises there. He started five of his eleven novels to date with the definite article. We had two of them with "It", there's been one "But", two "At"s, one "On" and a "Dolores", but that of course was never published."

- Novel Writing (Live from Wessex)

Re:Ermm.. can anyone say "Microsoft"

[Rhys]

Ignoring the unix updating tools, it's hard to update.

No kidding. Let me guess, ignoring the sun, it's dark?

WOW!!

[narratorDan]

I just read all these replies (about 15 right now) and all of them are nice and respectfull of the fact that this guy is a newbie!
I must be on the wrong site.

NarratorDan

Re:WOW!!

[jdavidb]

Yeah; I was struck by the same thing.

And I have a mild suspicion the parent poster is a troll, or just pretending to be a newbie. It seems like most new Lindows users wouldn't read slashdot, or that if they did they'd be more technically inclined, or that if his dad installed Lindows for him he'd ask his dad instead of coming here. Of course, that's just a suspicion; I hope he's a genuine newbie who got helped nicely (and will one day become a technically-competent friendly guy who offers help on message boards).

Re:WOW!!

[Abcd1234]

Eh, who cares if it's a troll? Either way, it shows that there is, in fact, a percentage of the Slashdot crowd who's willing to provide helpful, friendly advice to newbies. This is a good thing... hey, maybe the Slashdot crowd is maturing a little!

Naaah... :)

Re:WOW!!

Of course it is a troll. Still, people are trying to answer. I would have answered had I seen it earlier. This is the remarkable thing, even with "debian" and "dad" giveaways, people are civil to someone pretending to be a newbie on the remote chance that he really is one or someone who really is might be reading the post.

Re:WOW!!

[jdavidb]

Eh, who cares if it's a troll?

Oh, I just thought it was an interesting thing to consider. Doesn't really matter.

Main point is: wow, people were being helpful here.

Can somebody enlighten me?

[PinkFluid]

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/o penssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h

I don't see how this fixes any problem ... The code is practically identical, or am I missing something? What's the big deal in calculating the new size in a separate variable? Maybe this is sime kind of DOS attack, not a remote exploit....

Re:Can somebody enlighten me?

[Junta]

Easy, the buffer for a period of time is not as big as the struct indicates. So between the time the buffer size variable is set and the time the realloc is performed, there is a window of opportunity to fill that buffer beyond is alloced boundary if another process/thread goes to put stuff in that buffer at the wrong time.

Also, I'm not sure exactly how 'fatal' the fatal is in there, it could be that it breaks out of the function, but leaves the buffer size parameter at too large a value for the alloc in that buffer.

One or both of those problems is exploitable.

Re:Can somebody enlighten me?

[PinkFluid]

Well, ssh is not multi-threaded and there is no way another process can write to that region(that would be classified as a kernel bug in any case) unless the buffer is in a shared memory, which is not. fatal() runs few cleanup handlers(which do not touch that buffer in any way) and exits with exit code 255, so fatal() is pretty much fatal.

I still have to find evidence of the exploit besides few mails with absolutely no technical detals. More and more I think this is some kind of hoax... and I can understand why everybody is so jumpy, afterall ssh is a crucial part of a "secure" box.

Re:Can somebody enlighten me?

[haapi]

Yeah, and the return value of xrealloc isn't
checked against NULL, neither.

Re:Can somebody enlighten me?

[haapi]

The function fatal() calls various *_cleanup() functions in a
call-back fashion. Some of these cleanups do buffer_free() calls on
Buffer structs. The buffer_free() function fills the buffer up to its
now bogus alloc length with zeros and then frees it.

At least I can see that possibility. I think I will apply the patch and also fatal-out on xrealloc() returning NULL.

Re:Can somebody enlighten me?

xrealloc does not return NULL.
From xmalloc.c:

void *
xrealloc(void *ptr, size_t new_size)
{
void *new_ptr;

if (new_size == 0)
fatal("xrealloc: zero size");
if (ptr == NULL)
new_ptr = malloc(new_size);
else
new_ptr = realloc(ptr, new_size);
if (new_ptr == NULL)
fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size);
return new_ptr;
}

Re:Can somebody enlighten me?

[haapi]

You are correct! Thanks for following up.

Re:Can somebody enlighten me?

[tofus]

I just don't get it... Can somebody please explain in plain and simple terms just exactly what steps are needed to exploit this bug? I understand that the bug can cause nasty things in memory (hence it's a bug), but that doesn't mean the entire underlying OS can be classified as 'insecure' because of that bug. I mean, if i write a C program in userland space, and i don't really manage memory clean-up well in it (because i'm a lousy C programmer), does that also compromize the entire system i have an account on?

My point being that sshd runs in userland space (as user sshd); so i don't see how this can cause any raised privileges, if the bug is in sshd and NOT in the kernel (which as far as I understand, it isn't).

Re:Can somebody enlighten me?

also fatal-out on xrealloc() returning NULL

Note that xrealloc already does that internally.

Re:Can somebody enlighten me?

[ysachlandil]

Bingo,

It's in the cleanup handlers, read the code...

before the buffer is freed, it is memset to zero. Except that the buffer code updated the size of the buffer before reallocating. So the cleanup function zeros beyond the buffer boundary, into parts of the heap.

At this time it is not known if this is an exploitable condition. What is known is that it is DoSable.

--Blerik

Re:Can somebody enlighten me?

[PinkFluid]

Yes,
I found that after carefully inspecting fatal(), but I still don't see why this generated so much hype. If there is an exploit out there, I bet it's not in this piece of the code so ssh remains vulnerable ...

Exploits, Bugs, etc

So when an exploit is discovered in Windows, it's the evil Microsoft's pathetic fault. But when it's something in the *BSD/Linux worlds everything is "uh, well, see... um..." not so bad?

Re:Exploits, Bugs, etc

[xadhoom]

also are quick fixed and is *generally* harder to exploit. And the patches are stable. not as the first slammer patch that wasn't fixing the M$ problem @ 100%, thus requiring a second patch for the same problem....

Re:Exploits, Bugs, etc

That's because microsoft wasn't patching the ~problem~, they we're patching the ~symptom~, like they always do...

selinux

[Oestergaard]

Nope. By the time we get close to 98%, we will have SELinux by default.

This bug, like any other non-kernel bug, is useless for an attacker on a system with mandatory access controls and a proper policy configuration.

The worms will need a kernel bug *and* a remotely exploitable bug to propagate.

Re:selinux

[nullard]

The worms will need a kernel bug *and* a remotely exploitable bug to propagate

Why? It's a remote root exploit. How about this: A script is written that gets root on a specified machine using this exploit. Then it copies the script from the originating host and runs it, targeting every machine it can ping. That sounds like propagation to me.

Re:selinux

[Oestergaard]

sshd is only granted the necessary access in order to receive user credentials. It therefore cannot access the disk, create network connections, or execute arbitrary programs.

Yes you can compromise sshd, but you will be left with the control over a process that can do virtually nothing.

This changes only when it provides real user credentials to the kernel.

It's mandatory access controls. And the above is why they can give you *real* security, not just 'I think my daemon is sorta secure and therefore trust it with my whole box'-security

A fix for Gentoo

[ncc74656]

http://bugs.gentoo.org/show_bug.cgi?id=28873
http://forums.gentoo.org/viewtopic.php?t=84879&hig hlight=openssh

There's no ebuild pushed out for it yet, but the second link describes a workaround. (Haven't tried it yet, but will in the near future.)

Very convenient

[CausticWindow]

.. and with the release of a Nmap version that performs version detection on services.. hm.

That's the fundamental problem with tools like, Nmap. While they might be good tools for the good guys, they're also terrible tools in the wrong hands.

Anybody else heard rumours of this exploit a couple of months ago? Seems like somebody have tried to keep the lid on this.

Re:Very convenient

[ewhac]

While they might be good tools for the good guys, they're also terrible tools in the wrong hands.

The same could be said of a hammer.

A tool by itself is nothing. Morality only enters the discussion when a person uses the tool.

Schwab

Re:Ermm.. can anyone say "Microsoft"

[hey]

Does OpenSSH run on Windows?
If so this would be a Windows vulnerability too.

Movie Gossip

[Kommet]

Anyone else hear that the Wachowski brothers called Carrie-Anne Moss back today for some hurried reshoots? The word is that they are replacing a scene where she uses an RPC vulnerability in Windows 2000 to drop copies of the ILoveYou virus into Agent Smiths' laptops.

I wonder what they will be using instead...

Does this effect Cygwin???

[kevlar]

Does anyone know if this exploit effects Cygwin installations of SSHD? I _really_ need to know.

Re:Does this effect Cygwin???

[funkman]

You are already running windows. You have more serious problems.

Re:Does this effect Cygwin???

[firebus]

you have to assume it does and take defensive measures for now.

Re:Does this effect Cygwin???

[kevlar]

Not if port 22 is the only exposed port...

Re:Does this effect Cygwin???

When I checked at 7:27 PM Pacific Time, Cygwin had OpenSSH 3.7p1-1 available for download/install.

Re:Does this effect Cygwin???

Cygwin now has 3.7.1p1 available for download/install.

rebuilt RPMs for RH9

[Olinator]

available from www.cs.umass.edu/~olc/pub/openssh-3.5p1-patched. These were built using the patch that was (briefly?) seen at www.openssh.org/txt/buffer.adv which I will mirror with the RPMS at the above URL. (I would've posted it, but the goddamn lameness filter doesn't like context diffs...)

Ole

Re:rebuilt RPMs for RH9

[leviramsey]

Another fun day for CSCF and OIT...

No problems for Sun?

[niola]

Unless I missed it somewhere, it looks like this is not a problem with OpenSSH on Solaris?

Can anyone enlighten me on this?

--Jon

Re:No problems for Sun?

[joebubba]

Horsefeathers.

It definitely IS a problem with OpenSSH on Solaris if you are running anything prior to SSH-1.99-OpenSSH_3.7p1

Re:Ermm.. can anyone say "Microsoft"

[Gleef]

koniosis wrote:

It appears that *nix systems now have an exploit, where are all the people claiming "Linux has no exploits that need patching", showing how insecure Microsoft are?

Where are all the people making such claims, hopefully flipping burgers. Of course Linux has the occasional exploit, which of course requires patching.

There are still differences between a Linux exploit and a Windows one. The Linux one is generally fixed faster, and the fix is more likely to work the first time. A Linux exploit is less likely to give the cracker full root access to your system than a Windows one. Also, most decent Linux systems (eg Debian) are considerably easier to patch than Windows (apt-get update, apt-get install).

Sobig and Blaster came and went and microsoft got bashed so damn much, when something like this happens to linux its like "oh shit happens, nevermind".

That's because Sobig and Blaster were seen everywhere, they did actual damage to actual systems. Blaster might even have exacerbated the recent Northeastern US/Southeastern Canada blackout. Any exploits of this OpenSSH bug, if such exploits exist, are so rare that most people are calling them rumors. Nobody would sanely call Sobig a rumor.

And it's going to be harder to patch *nix systems than windows (don't say Windows update is hard to use and *nix is as easy, its not [most of the time, ignoring redcarpet ect])

I have used apt-get, redcarpet and Windows Update. Apt-get is easier, faster, and more reliable than both redcarpet and Windows Update. Redcarpet is just as easy, and more reliable compared with WU. Windows Update often requires reboots, and occasionally trashes systems altogether.

SSH is probably the most used administration tool for *nix, probably the last thing people want an exploit in. Microsoft don't seem so on their own anymore.

Nope, they're still in a league of their own regarding security problems. Sorry to break it to you.

MOD PARENT DOWN

[xchino]

The vulnerability is fully exploitable under OpenBSD. I've just rooted my own OBSD firewall, and it actually hit the proper register faster than it did on my Gentoo desktop (not that that means anything).

A post like this given a +5 is dangerous. I wonder how many OpenBSD users will read that, take his word for it, and not patch their systems. Probably not many :) But if only one does, then the damaga is done.

Re:MOD PARENT DOWN

[diamondc]

What proof do YOU have? You're just as credible as the post above who you're trying to say is giving out wrong information. A demonstration would be nice.

Re:MOD PARENT DOWN

TRY IT YOURSELF YOU IDIOT! That's probably the only way you'd believe it anyway. Never mind that several others have also claimed to have been able to do it.

Re:MOD PARENT DOWN

[Syberghost]

A demonstration would be nice.

It'd serve you right if he gave you one. :-)

Re:MOD PARENT DOWN

[diamondc]

you're right.. I'd only believe it if I saw a demonstration with my own eyes. I'm not going to fully trust some random person on /.

anyways, there's an ssh update for Debian so I guess that this exploit is for real.

Re:MOD PARENT DOWN

[Penguinshit]

And anyone who doesn't patch a known vulnerability, whether "exploitable" or not, is a +5 Fucking_Idiot.

Re:MOD PARENT DOWN

>>I wonder how many OpenBSD users will read that, >>take his word for it, and not patch their systems. >>Probably not many :)

You're right! I have already upgraded 8 of my OpenBSD servers to 3.7 since noon. They were all already protected by other acls, firewalls, pits of snakes, gigantic gorillas ... Not that we OBSD users are paranoid.
Remember: You're not paranoid if they really are out to get you.

Re:MOD PARENT DOWN

[mabinogi]

If you're the sort of person that requires proof before you'll believe in the existance of a security flaw...then I hope I never rely on the secure operation of a network you're in charge of.

Sets my mind at ease

[macdaddy]

We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18

Whew. I don't know about the rest of you but knowing that Theo has a new shirt to wear sets my mnd at ease. :-)

Commercial versions?

Anybody know if the commercial versions of SSH (like the ones from ssh.com or F-secure) are vulnerable to this same exploit?

Redhat?

[Jesus+IS+the+Devil]

Is there a temporary workaround for Redhat while I wait for the updated RPM?

Re:Redhat?

Let's hope so, since knowing Red Hat it will be a couple of weeks or a month...

I want to go knock on their foreheads and ask "Anyone home?"...

Re:Redhat?

[Jhon]

ipchains (or whatever). Block traffic to sshd from all but known clients who NEED access. I do this anyway.

If you're a lazy SOB and not security minded, you COULD just change the default port to something weird like 19326 or something -- at least that will keep most ssh exploit scripts at bay and probably "buy" you the time you want while you wait for RH.

Re:Redhat?

[digitalhermit]

A few things you can do:

1) Turn off ssh completely: /sbin/service sshd stop

2) Disable access to SSH via iptables:
vi /etc/sysconfig/iptables
comment out the
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

restart iptables

3) Patch the package yourself (this is what I did)

Download the latest source rpm from Redhat or a mirror.
Install the source rpm.
Grab the patch from openssh.org
cd to your rpm SOURCES directory.
Extract the openssh-3.4p1.tar.gz file
Rename the resulting directory to something like orig
Extract the openssh-3.4p1.tar.gz file
cd to this new directory and apply the Openssh patch
patch -p0 ../patch_from_openssh.patch
cd back to your SOURCES RPM and diff the orig file with your new
file
(you can probably use the openssh patch directly but you'll need
to modify the headers slightly).

Name the diff to something like openssh-3.4p1-buffer.patch

Edit the SPECS/openssh.spec file and add a new PATCH6 line referencing the openssh-3.4p1-buffer.patch.
Update the release tag to 5.

Rebuild the rpm using:
rpmbuild -ba openssh.spec

(It actually took longer to write than it did to actually perform).

Re:Redhat?

[$0+31337]

Why don't you simply download and compile the source? You aren't telling me you're a system administrator and can't compile source are you?

Re:Redhat?

Well, whaddya know. They've already released a fix. That seems to be just over an hour to have packages available for all versions.

Re:Redhat?

[markjx]

RedHat has posted new RPM's: https://rhn.redhat.com/errata/RHSA-2003-279.html Enjoy!

Re:Redhat?

That was pretty darn quick, if you ask me.

mod parent up!

mod parent up!

OpenSSH exploit or SSH exploit?

Is F-Secure SSH 3.2.5 vulnerable?

Re:Ermm.. can anyone say "Microsoft"

[Aardpig]

It appears that *nix systems now have an exploit, where are all the people claiming "Linux has no exploits that need patching", showing how insecure Microsoft are?

You are comparing apples and oranges; OpenSSH is not part of the Linux kernel, it is a commonly-used piece of third-party software. Past criticisms of Microsoft have been directed at vulnerabilities in the core Windows functionality, not at script-kiddie backdoors in IRQ clients.

The "Full Disclosure" message is stupid

[JoeBuck]

It appears that the OpenSSH people found this bug first, and released a fix in version 3.7. People who studied this fix then found the exploit. So it's stupid for this guy to tell people "upgrade to lsh", since the whole reason his buds know about this bug is because 3.7 fixes it.

Re:The "Full Disclosure" message is stupid

I'm just typing this to let you know, because you might not already.. although I have a feeling that your life is full of indicators, that you are a fucking IDIOT.. so here's a tip, never speak again and never type again, until you have at least a third of a fucking clue of what you are talking about

Re:The "Full Disclosure" message is stupid

It appears that the OpenSSH people found this bug first, and released a fix in version 3.7.

You are an idiot. This email was posted on full-disclosure days before the fix was in openbsds cvs.

Re:The "Full Disclosure" message is stupid

You seem to be running low on periods there, so here's a few spare ones I've just had laying around: .......... .......

I'm sure a person as intelligent as yourself will know what to do with them.

Re:The "Full Disclosure" message is stupid

The initial fix for buffer.c (which is one of the things fixed in 3.7) was not commited to the CVS tree until a few hours after auto64746@hushmail.com posted the snippet of code that contains code that contains potentially exploitable code. 3.7 was released hours after these emails were sent to the FD list.

Re:The "Full Disclosure" message is stupid

clever

Suggestions?

[devphil]

Now we have a big and fat tool that can do nearly everything,

That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.

Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.

It would have been a better idea to do a small diet and dis-integrate functions into different tools

Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?

Re:Suggestions?

[yanestra]

It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually.

I'm thinking of tunneling, SSH1 support, dozens of authentication methods, keyring management including key life cycle management, several different and optional security layers, token management, context-sensitive interpretation of incoming requests, packet dispatching via a plug-in like technology, X11 forwarding layer, etc.

For the main task of the program (system administration), you don't need all of that.

Re:Suggestions?

[arth1]

Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?

Authentication could be split out into pam modules. That would actually be a Good Idea, security-wise. Don't want Kerberos 4? Turn it off system-wide in your pam settings, without having to hunt down all the different programmes that has it compiled in.

Similar for encryption and compression modules -- make them true modules, independent of the parent program. There shouldn't be a need to compile in support for any new authentication, encryption or compression scheme in ssh -- design an API instead of umpteen hooks and compile options, and let people put what they want in place OUTSIDE of ssh itself.

Regards,
--
*Art

Re:Suggestions?

[Just+Some+Guy]

For the main task of the program (system administration), you don't need all of that.

Erm, main task for who? I use it regularly for remote administration, but I use it often (every 5 minutes, according to cron) as a transport layer for rsync'ing a directory tree on a server several hundred miles away. It's also a forwarder to a Usenet feed that only accepts connections from one IP address, said address being on a server outside of my LAN. It's also the main method (via SFTP) that my clients use to upload inventory data to their distributed servers.

System administration is SSH's most common interactive task. Measured in raw bytes transferred, though, it's near the bottom of the list. Don't pigeonhole it into only the functions that you use it for.

Re:Suggestions?

[arkane1234]

So what your saying is that my doing X11 forwarding over SSH is a stupid thing that shouldn't be done?

YOU don't do this. That means you aren't at that level yet. You need to become a little more diversified and learn. Thanks for playing though, it's been a blast.

Re:Suggestions?

[yanestra]

...main method (via SFTP) that my clients use to upload inventory data to their distributed servers.

Which item(s) of my collection of not needed features is required for your applications?

Re:Suggestions?

[arkane1234]

Authentication could be split out into pam modules. That would actually be a Good Idea, security-wise.

Sure, if Linux was the only operating system OpenSSH was designed for.
There is also AIX, Mac OSX, Solaris, Irix, Cisco IOS, HP Procurve Switches, etc...
Large scale.. think portable.

Re:Suggestions?

[Just+Some+Guy]

Which item(s) of my collection of not needed features is required for your applications?

In particular:

• SSH1 support (I can't help what client software they want to use)
• Token management (Kerberos is a Good Thing)
• X11 forwarding (how else to run graphical tools remotely?)
• Tunneling (many apps don't support crypto natively; see "rsync" and "cvs")

Seriously, it's OK if you don't use all of those things. However, I use them every single day, and I'd have to seriously rework a lot of my network if they went away.

Re:Suggestions?

[Warped1]

Authentication could be split out into pam modules.

OpenBSD (AFAIK) doesn't support PAM modules ...

This is precisely...

[devphil]

...why I always go back and add security holes to all of my programs. If some future (or current) anti-regime hacker needs to be able to break into a local power plant, I want to make sure my code can help!

[I considered signing this post "love, Theo" but then thought better of it.]

Re:Ermm.. can anyone say "Microsoft"

where are all the people claiming "Linux has no exploits that need patching"

Yes. Where are they? I don't see any around here. Maybe that's because nobody claims this. What people do claim is that Linux is far more secure than Windows. One hole doesn't change this.

Re:Ermm.. can anyone say "Microsoft"

[qtp]

It appears that *nix systems now have an exploit

Yep, *nix systems have exploits, and an hour or two turnaround between discovery and a fix. I'd like to see Microsoft match that.

"Linux has no exploits that need patching"

People who actually know Linux would never claim that there are no known exploits, just that the time-to-fix is much shorter and that applying these fixes to running systems is usually much easier (in most distributions) than in a Windows system (ie no reboot required, one location for all necessary fixes, better software package management, etc)

I use Linux and BSD at home, but manage Windows machines at work (I have no decision making power, I'm just a grunt) and I must say that Windows management is a royal pain in the ass. We've had no problems with the recent Windows viruses and worms, but I do spend an inordinate amount of time applying patches, rebooting machines, and checking that the new patches did not wipe out the old ones. I don't think that it is unreasonable for Microsoft's customers to demand better patch/upgrade management, a single location for updates to both applications, servers, and the OS, and a better method for confirming that the files included in a patch contain the all of the required fixes (for that file) even if they came from different departments at microsoft.

Really?

[ubiquitin]

The upgrade shouldn't touch your key files. Even the IP#/domain-name checksums shouldn't change when you update.

Re:Update for debian is 1:3.4p1-1.1

Why the crap do they have to make up their own version numbers?!? Red Hat does this too and it drives me nuts...

What would be so bad about calling it 3.7p1 like the rest of the world?

SSH Exploit

What? An exploit that only affects Linux? And all this time, I thought Linux was secure. Oh well, time to switch back to Windows Server 2003.

Re:Ermm.. can anyone say "Microsoft"

[kevin+lyda]

yes it does. but it's not in the default install, and sshd is not on by default even when you install openssh.

It'll help, and also:

[TomatoMan]

you can restrict access in your /etc/sshd_config (wherever you have it) like so until you can get the patched version, if you allow access from anywhere:

DenyUsers *
AllowUsers you@your_ip_address

(and restart sshd)

You can also firewall the port off. I've done a hodge-podge of these solutions on different systems I admin until I can actually get the 3.7p1 source from the mirrors (they dont' seem to have it yet).

Re:It'll help, and also:

Hmm, this kinda seems to be the problem with lots of Linux (and UNIX in general) security.

You can have access rules:
- at the edge router
- at the firewall
- at the software firewall on the host
- in hosts.* in tcp wrappers
- in application config

This is, frankly, ridiculous. It makes troubleshooting difficult. Problems come and go. Security is spotty. Administration is a nightmare.

Re:It'll help, and also:

Hmm, this kinda seems to be the problem with lots of Windows security.

You can have access rules:
- at the edge router
- on the ISA server
- at the software firewall on WinXP hosts
- in application config

Re:It'll help, and also:

[missing000]

That string won't work. (At least under RH9).

If you want to block all users but your list of allowed users, just use:

AllowUsers user1@users_ip_address user2@users_ip_address ... # To allow only by IP address

or AllowUsers user1 user2 ... # To allow from any IP

That DenyUsers string blocks your list of allowd no matter where you put it.

Re:It'll help, and also:

[maiden_taiwan]

"AllowUsers you@your_ip_address" doesn't do what you might think it does. As written, it looks like it says something about a remote user. It doesn't.

It is better explained as "AllowUsers localAccount@remote_ip_address". It means: "Allow SSH connections from anybody at remote_ip_address to connect to localAccount." (Of course the remote user still must authenticate successfully.)

The syntax unfortunately looks like it specifies a remote user. It doesn't. It defines a relationship between a remote IP address and a local user.

Trust me, I wrote the book. :-)

Re:It'll help, and also:

[JamieF]

Good thinking! I agree. We should concentrate all our access control into a single layer that does everything. All traffic will have to pass through that layer. That will not only be faster but more flexible, and more robust in case there's a bug.

We shall call it Aleiob, which is short for All Eggs In One Basket. 'Cuz that makes _so_ much sense.

If you can't keep track of your network configuration, draw a picture, and/or write some scripts that generate product-specific rulesets from a centralized, abstracted ruleset.

Updating for RedHat

[bathmatt]

Since many of the mirrors don't have the latest rpm, people can build them quite simply.

Step 1, get the older 3.6.1p1 src rpm from any of the mirrow sites. and install. rpm -U openssh-3.6.1p1-1.src.rpm

Step 2: untar the the file in the source dir

cd /usr/src/redhat/SOURCES/

tar xzf openssh-3.6.1p1.tar.gz

Step 3: replace the buffer.c file with the one from here here

cd openssh-3.6.1p1/; cp /tmp/buffer.c .; cd ..; tar czf omniORB-4.0.2.tar.gz openssh-3.6.1p1/

Step 4: build the rpm. cd ../SPECS; rpmbuild -bb openssh.spec

Step 5: install, cd ../RPMs/i386; rpm -U --force openssh*; /etc/init.d/sshd restart

Thats it...

Debian?

[bahamat]

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

Odd. I run Debian on all of my systems and PermitRootLogin is set to no on all of them. Sarge and Sid also have UsePrivilegeSeparation set to yes by default.

Re:Debian?

[Fluffy+the+Cat]

But sshd is running as root. The problem is in the section of the code that isn't running as a non-privileged user, so UsePrivilegeSeparation won't help. PermitRootLogin isn't much use if the software is being made to do things it's not designed to do.

Re:Debian?

[Dalcius]

Can anyone confirm this with a link? (sorry for being lazy, I'm headed to bed)

The first thing I did when I brought up my ssh server was to deny root access and limit login to the only users who should be accessing my box. I didn't read this notice until I got home this evening and it took me a few hours to get around to patching it, so I'm curious as to how vulnerable I really way.

Thanks in advance.

Explanation

[Hard_Code]

Could somebody explain the problem and patch in english? I see that buffer->alloc could have an invalid value for just a few lines...I can't tell whether this structure is shared by more than one thread, but if not, where is the exposure, since it is just immediately reassigned/reallocated?

OpenSSH and Mac OS X

[acadiel03]

Hmm....

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

Better keep it firewalled behind my VPN.

Re:OpenSSH and Mac OS X

Doesn't OSX have root login on ssh disabled by default? Would this not prevent the exploit as explained? Anyone, anyone? Bueller, Beuller?

Re:OpenSSH and Mac OS X

[acadiel03]

Yes, but some people (like me) enable it (it just has a null password, which disables it.) I enable it so I can login and backup what I want without logging in as either of the two main users on my box. I'm behind a firewall anyway, and don't normally port forward. If I really want to get into my box, I VPN in then SSH. And yes, SSH lets me log in as 'root'.

Re:OpenSSH and Mac OS X

[Dawang]

The root *account* is disabled system-wide by default (on MOSX client - MOSX Server has root enabled... I just disabled SSH on my MOSXS pending patch...), but AFACT, the sshd_config for Mac OS X is configured to allow root remote login via SSH.

The question is: can sshd below 3.7 be exploited solely if root login is enabled, or does the root account have to be active as well?

Another place to find the patch/bug advisory

[vt0asta]

http://www.securityfocus.com/archive/1/337662/2003 -09-13/2003-09-19/0

Re:Another place to find the patch/bug advisory

[Dairyland.Net]

The patched buffer.c is available at ftp://ftp.dairyland.net/pub/linux/redhat/patches/o penssh/3.5p1/buffer.c. Works with OpenSSH 3.5p1.

Re:Uh oh - no funny

amen!

Re:Update for debian is 1:3.4p1-1.1

'Cause Debain dosen't run 3.7 in 'stable'

3.4p1-1.1 is 3.4patch level 1.1, indicating a security fix.

Having Tourble Compiling on OpenBSD?

If you are trying to compile on OpenBSD 3.3 or older (e.g just about every OpenBSD box out there), note that before doing the build you need to:

1.) Unpack the OpenSSH 3.7 source
2.) Apply a patch available here

If you don't apply the patch, "make" will fail. See the instructions here.

Mirrors that *have* the 3.7?

Anyone have a list of mirrors known to have the patch or 3.7 source? So far the only place I've been able to get 3.7 was at ftp.openbsd.org itself...haven't found a mirror that has replicated already.

Re:Uh oh - no funny

[theLOUDroom]

Yeah those "NO CARRIER" jokes just aren't fun@~%4!.z^%r#$% NO CARRIER

Updating for FreeBSD

[NuShrike]

cvsup
make buildworld
make installworld

Re:Updating for FreeBSD

yeah, but thats to update the whole damned system.. and requires a reboot.. I just wanna update openssh..
is there another option for freebsd?

Open SSH 3.4p1 and Mac OS X....

[acadiel03]

(went into the wrong thread - ack!)
Hmm....
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
Better keep it firewalled behind my VPN

guess I have to hit you with a 2by4

maybe it has to do with the release being a fix for a certain exploit????...

buffer.c

[Pflipp]

Still, you'd say that a "buffer overrun" (?) in a file called "buffer.c" would have been found earlier.

oops sorry..

reading/posting from lynx.. the "2by4" reply is intended for the parent of your post.. :)

Only one remote hole in the default install...

Not anymore:

Only two remote holes in the default install, in more than 7 years!

Re:Ermm.. can anyone say "Microsoft"

[Overly+Critical+Guy]

No, it would still be an ssh vulnerability.

Remember, we're supposed to seperate the OS and the apps that have the holes...remember?

Or are we still using the term "Windows hole" when referring to Outlook?

More information

OpenSSH buffer_append_space() Error May Let Remote Users Execute Arbitrary Code and OpenSSH "buffer_append_space()" Vulnerability

Theres little time

[JamesP]

1. Make lsh incompatible w SCO UNIX
2. ???
3. WTF?
4. Profit!!!

Re:Theres little time

[shaldannon]

lsh ain't done til SCO won't run...err...yeah...

FUD?

[Alejo]

It seems that privilege separation does *not* help here - so get them systems patched (and firewalled)!

isn't this just FUD? could you at least mention *why* you think so?

Re:FUD?

[Oestergaard]

I pieced the message together as soon as I had seen about five mails from slashdotted mailing list archives, in order to let people know what the status was at that time - thus the title of the post ("bits and pieces so far").

One of the original posts in one of the threads stated, that there had been multiple successful attacks at an ISP which seemed to be SSH related. In this case they did run with privilege separation enabled.

As the thread evolved, it became clear that there was a vulnerability in SSH.

I therefore wrote that it seems that privilege separation does not help in this case. And I specifically wrote "seems" because it was not proven beyond a doubt, that the original attacks were indeed caused by this vulnerability, it only seemed "highly likely" from the thread.

I never meant to spread FUD - I tried as best I could to get the most information as was available at the time, out to the most people. And it is a lot safer saying "privilege separation might not be effective" than not mentioning that fact (it was a fact that it seemed not to be effective), and having someone believe that they were home free when maybe they weren't.

It should be pretty simple to examine the code to see if the buffer.c routines are used somewhere before the privsep code. I will leave that as an exercise to whoever cares, my sshds are updated now :)

Perspective

[abe+ferlman]

If Microsoft made SSH, they'd deny the existence of this bug for 6 months then release a Rumplestiltskin patch that made you agree to waive your rights to your first born child, the fourth amendment, and all your base.

It's not just that people want to make improvements to source code - sometimes we want to FIX the source code before someone else can mess with it. Remember this next time someone reads a MS talking point saying that few users want to edit the source code to applications.

Lies, damned lies and ... statistics.

One remote hole in seven years is a statistic. I guess the OS should be trusted as much as statistics can be trusted.

Re:Update for debian is 1:3.4p1-1.1

[bahamat]

They're not making up their own version numbers.

The actual version being run on a Debian stable system is 3.4p1-1.1.

It's version 3.4 exactly as it was origonally released. Debian stable does not upgrade packages, that's why it's stable. Instead, the fix is backported to the older version so that it is not only stable but secure as well.

How do I safely test, stop, start sshd on a colo?

I have a colo that only allows ssh access.

How can I safely test, stop, and start sshd?

If I am already connected via openssh, will stopping sshd kill my connection?

duh! coordinated multivendor announcements

[Alejo]

Responsible software vendors release security advisories coordinating with other vendors.

But it is common for irresponsible vendors *cough*redhat*cough*debian*cough to fsck everyone else when they are invited to this groups.

Remember some vendors have multiple versions to update, and a lot of testing before releasing. At least a whole day of work.

Sure, full disclosure ppl would argue that, but maybe there's a middle chance... for example telling ppl some workarounds (if there are) just after knowing the patch, but way before releasing the advisories/patches.

Anyway, I hate here on /. ppl claim stuff like crazy. And instead of blaming the vendor arseholes who shoot others in the back for nothing, blame responsible and respected agents (be it a vendor or someone like Theo)

Re:duh! coordinated multivendor announcements

[Minna+Kirai]

Responsible software vendors release security advisories coordinating with other vendors.

Responsible software vendors are honest with their customers, and inform them of potentially dangerous problems as soon as possible.

MOD PARENT UP

[pen]

thanks

PLEASE POST VERSION NUMBER IN ARTICLE SUMMARY

[whovian]

As I'm sure many are in the same boat, I don't care about the version RedHat is responsible for. I want to know whether the vendor source code is/was vunerable.

Pity, I cannot get past the ./ effect to find out myself at this moment.

Red Hat RPMS available now

[festers]

Just checked up2date and saw the RPMs there. Not sure if they fix the bug you mention, but at least they've patched the gaping security hole now.

Microsoft supported

[egarland]

What are the odds that there is a subcontractor for a subcontractor who is working on finding and "documenting" vulnerabilites in linux right now? It's unethical but it would make good business sence. Those two things seem to be required for anything to happen within Microsoft these days so it must be true. (grin)

Re:Microsoft supported

Tinfoil hat alert.

Deja-vu: Theo's response/behaviour.

[Ricin]

Look at this: http://lists.netsys.com/pipermail/full-disclosure/ 2003-September/010146.html

Remember all the hoopla when everyone *had* to upgrade to privsep immediatly? The lack of details? Theo wining about "hours and hours of hard work" but taking his time to write back and shit all over the person who's merely asking if there's a patch.

Deja-vu. I clearly remember that FreeBSD wasn't even exploitable then but we got told afterwards.

Maybe this is Theo's approach to mass marketing but I find his behaviour close to shizophrenic(sp). Theo the saviour against the rest of the world. It's also amusing to see (some) people go out of their way to *defend* this behaviour. What a cult.

Oh well, just observing... (shrugs)

Re:How do I safely test, stop, start sshd on a col

[NetJunkie]

You can restart sshd without killing your connect. When you SSH to a box the sshd process spawns a copy for your connect. You can restart the primary process without it dropping the existing connections.

Will TCP Wrappers prevent this?

[daeviltwin]

I have a RedHat 9 box. I have TCP wrappers setup to only allow connections from two ip addresses. Does anyone know if that will prevent this attack?

Re:Will TCP Wrappers prevent this?

[xadhoom]

as far as I know, no in the stanard setup, since
sshd is by default a standalone daemon, not spawned by tcp wrappers.
you can put it under tcp wrappers (if not already done) or build a simple firewall rule with iptables to limit the access.

Re:Ermm.. can anyone say "Microsoft"

[ummit]

It appears that *nix systems now have an exploit, where are all the people claiming "Linux has no exploits that need patching"...?

Right! And where's the rampant, bring-the-net-to-its knees exploit that alerts everyone to the fact?

update is in red hat network

[neves]

I've just upgraded my machine using red hat network.

Woah, hold the phone.. new t-shirt?

[jonabbey]

Aw, sweet I'm so there.

I hate having to support old versions, so maybe

The OpenSSH team created the exploit and released it to help motivate folks to upgrade quickly.

Redhat RPMs are available

[pollock]

Redhat has finally posted patched RPMS on their errata pages. Scroll down and select your release.

Redhat Advisory RHSA-2003-279

[gunnarE]

Redhat just released an advisory with links to updated RPMS: RHSA-2003-279

Net and Free BSD

No one makes mention but should it be assumed that any os using ssh is vulnerable. ie, freebsd, netbsd, cygwin, mac, as well as the many linux distros.

Redhat rpms are now avaliable

I just downloaded the patched version for my RH9 box from up2date.

Ah, the irony of it all

[ProphetOfCod]

Something goes bad with Unix - Shame on the exploiters. Something goes bad with Windows - Microsoft sucks. I really appreciate the humour :)

Re:Ah, the irony of it all

[Disti]

I really don't think exploiting is never good. It's just the matter of how problems are being addressed.

In *nix world security threats are taken very seriously, even if there's only a remote possibility of someone figuring out how to exploit them. After this bug is found it's just matter of hours when the patch is released and an announcement of the threat is just matter of minutes.

For comparison in Windows world there hasn't been very good response to bugs. Too often a bug is exploited widely because exploit is already made and there's not a fix for the issue yet (and no way of creating one yourself). Also too often announcement of security threat (even without the patch) doesn't reach users quickly enough to do any good.

One of the many reasons this one is THE reason for me to stick to OPEN source - we share our information OPENLY.

Re:Ah, the irony of it all

?!?!?! All I heard was shame on the exploiters for two weeks after MSblast. I had to explain the situation to them all...

wrong. *all* versions prior to 3.7 vulnerable

[Alejo]

From the pre-announcement

1. Versions affected:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively.

Re:wrong. *all* versions prior to 3.7 vulnerable

[Dr.+Photo]

From the pre-announcement

1. Versions affected:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.

D'oh! Thanks for the correction.

RedHat has posted fixes

[DDumitru]

RedHat has fixes (source and binaries) on their FTP site and docs in the erratta pages.

https://rhn.redhat.com/errata/RHSA-2003-279.html

For RedHat 7.1: openssh-3.1p1-9
For RedHat 7.2: openssh-3.1p1-10
For RedHat 7.3: openssh-3.1p1-10
For RedHat 8.0: openssh-3.4p1-5
For REdHat 9 : openssh-3.5p1-9

Good luck at getting to their FTP servers. Hopefully, the mirrors will get them soon.

stable/woody

[themusicgod1]

still remains unpatched. . . *shivers*

Re:stable/woody

[bartman]

actually it's patched, and has been since ~ 11:00 EST. you're supposed to have security.d.o in your sources.list if you want security fixes.

Good ol' Telnet

That is why I only use Telnet. Never heard of anyone hacking Telnet.

Re:Good ol' Telnet

[dnaumov]

Because you don't need an "exploit" to "hack" Telnet. Telnet is not encrypted at all, all your passwords are sent in plain text so anyone can sniff your packets and get your logins.

Re:Good ol' Telnet

And that's why I've already 0wn3d yer boxen. Your r00t password was shown in cleartext. Who ever thought of using your license plate as your root password? DUMB!

Re:Good ol' Telnet

Actually, that's not true. I think someone needs a refresher course!

FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

[dnaumov]

The FreeBSD team has released a related Security Advisory and issued patches for affected FreeBSD versions as well as OpenSSH in the ports tree.

Corrected:
2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)

Re:Privilege Separation

Does this not defeat the purpose of privilege separation? Or at least show that it is imperfectly implemented? I thought the whole point was to prevent a privilege-separated process, no matter how buggy or what its nature, from gaining general root access...

Fixed that ancient LSH README

Ooops, I had totally forgotten about that old copy of the README file in the ftp archive. After it was pointed out to me in private mail, I've replaced it with the current README. /Niels (LSH author)

Re:Fixed that ancient LSH README

/Niels (LSH author)

How do we know you're really who you say you are? I don't see any PKI armour in your AC post there, eh?

An explanation of what the patch does

[i_am_nitrogen]

I've read the patch on SecurityFocus. It's very simple. It looks like there is a buffer that at some point needs to be reallocated to fit more data. However, if that reallocation would put the buffer over 32KB, then the reallocation is not performed. The bug was that the recorded size of the buffer would be increased, even if the allocation was not performed, but not reset back to the original size. The patch only increases the recorded buffer size if the buffer really is grown.

An exploit of this hole would have to find a way to trigger this buffer allocation, and get it to overflow 32KB. Since the allocation would not take place, but the recorded buffer size is still large, there would be an unallocated memory area that could be referenced by code that uses that buffer. One would need to use that to overwrite program code with exploit code.

ERROR: MOD (my) PARENT DOWN, MOD THIS UP INSTEAD

[TomatoMan]

missing000's comment is quite correct, there's a mistake in my original post. Omit the DenyUsers line, it will override the AllowUsers line. Just use the AllowUsers line by itself.

Sorry.

AllowUsers you@your_ip_address

Remember, always test making a new ssh connection before logging out of your existing one, after restarting sshd.

OE == Windows

Or are we still using the term "Windows hole" when referring to Outlook?

Well, if you had said Outlook Express, then the answer is YES since MS claims OE is an inseperable component of IE and IE is an inseperable component of Windows itself, then OE == Windows.

Re:OE == Windows

[Overly+Critical+Guy]

Microsoft has never claimed that Outlook Express is inseperable from anything. It's just a stripped down Outlook.

Re:OE == Windows

[TheDanish]

Which is also depricated, IIRC. I wonder what they're going to do for a mail client now?

Still no Debian Packages...

[Make]

but for those who need patched .deb's, go to my Debian package repository:

http://readme.gzipped.org/~max/debian.html

Choose one of the sources.list lines depending on your CPU, insert it into your sources.list, update, upgrade, and you're safe.

I applied the patch from http://www.openssh.com/txt/buffer.adv to the original 3.6 Debian package from testing.

Sorry for the German text, I shared this repository of Debian Packages (unstable packages ported to Woody, compiled with gcc-3.2 and CPU optimizations) only with my German friends till now...

Re:Update for debian unstable??

[alexandre]

Anyone has an idea of where to fetch a 3.6.1p2-6 + fix or something? :)

stupid slashbot,

yhbt !

hth. hand.

-tirel

exploit a real long shot

[nuttyprofessor]

The bug involves an inconsistency with
the recorded and actual buffer size.
The buffer is allocated off the heap,
but an exploitable overflow really only
works for buffers allocated off of
the stack (where you can overwrite
a subroutine's return address and redirect
program flow). I guess if there are subroutine
addresses in struct's dynamically allocated
off of the heap, then you could redirect
program flow, but I am suspicious of this.

Would this be useful?

[Dr.+Manhattan]

I don't want ssh running open to the world all the time, because of things like this; but I also want to be able to log in remotely from varying places with reasonable security. So I've been thinking. Imagine an app like this:

1. Listens on a given port, waiting for a connection. If it receives one, it reads an MD5 hash (and only that amount of data).
2. It computes an MD5 hash of a secret password, and the current time to the minute. It then compares that to what it received in step 1.
3. If they match, it fires off a ssh process listening on a nonstandard port. If they don't match, it locks out the source IP after a given number of failures.

Obviously, the person contacting the machine has to know the secret password, and also what port the sshd is going to be started on. This seems so simple and stupid that it'd be darn near impossible to have a buffer overflow, and while it could be subject to denial-of-service attacks, few things aren't.

Extensions like a 'kill' password that'd turn off this 'sshd-kicker', and a timer that'd kill the sshd if no one connected within a set period, and a limit to how fast the incoming tries would be allowed, would be easy to add.

This way, you could turn on sshd remotely when you needed to, and leave it off on other times. It's simple enough that I could write it without needing anything more than an MD5 library, and I could run it on my Palm Pilot.

Re:Would this be useful?

[Make]

what if your ssh-starter-daemon contains a security hole?

I believe that sshd, even after those two recent holes, is much more secure than any new code you might write now. Your code may be full of holes, more likely than another hole in sshd.

Don't panic - upgrade sshd every time a hole is found, it's not that often compared to most other software.

Re:Would this be useful?

[Kynde]

I don't want ssh running open to the world all the time, because of things like this; but I also want to be able to log in remotely from varying places with reasonable security. So I've been thinking. Imagine an app like this:

1. Listens on a given port, waiting for a connection. If it receives one, it reads an MD5 hash (and only that amount of data).
2. It computes an MD5 hash of a secret password, and the current time to the minute. It then compares that to what it received in step 1.
3. If they match, it fires off a ssh process listening on a nonstandard port. If they don't match, it locks out the source IP after a given number of failures.

What you describe there actually is having an additional layer there. The problem with time based salting is that for it to work practiacally the time window has to be too large, allowing the same token to be used again quite easily.

If you already have the key at both ends, why not talk using symmetric cryptography straight away, use some proven to be solid cipher, add some salt/nonce, and quickly handshake new keys if needed and it's bomb secure. Naturally your implementation may fail, but that's why you might concider using cipe or openvpn to do it for you.

Another problem with mere remote instantiation is that you have no control over source spoofing and thus an ssh attacker could just wait there for you to spawn the sshd and then attack along side. Thus it's better to really layer then, e.g. ssh over some udp or ip based vpn solution.

Double layers are widely deployed on systems where no single piece of sw can be relied on. One convenient place to place them is the vpn layer. We use cipe, which is a tiny, simple and solid udp/blowfish based vpn solution, on top of which we run ssh, hoping that both of them won't get holes at the same time. Moreover cipe doesn't rely on openssl crypto, thus even the openssl crypto lib wont be a common nominator for ssh and vpn.

Re:Would this be useful?

[Dr.+Manhattan]

The problem with time based salting is that for it to work practiacally the time window has to be too large, allowing the same token to be used again quite easily.

Ooops, I knew I forgot something. I thought of that, you also add the number of successful connections that day before the hash, or other salting. Basically, you make sure the same token can't be used during that window. Throttle the number of incoming connections and the likelihood of guessing the correct key for the window can be made arbitrarily small.

why not talk using symmetric cryptography straight away, use some proven to be solid cipher, add some salt/nonce, and quickly handshake new keys if needed and it's bomb secure.

That'd certainly work, but I'm also trying for something that'll work with reasonable speed on a 16MHz 68K processor (Palm IIIxe).

Naturally your implementation may fail, but that's why you might concider using cipe or openvpn to do it for you.

Another reason for simple & stupid. :->

Re:Would this be useful?

[Dr.+Manhattan]

what if your ssh-starter-daemon contains a security hole?

By reading a known, fixed amount of data, it can't get a buffer overflow. Aside from the rate of incoming connections, that data's the only thing an attacker can control, and the only thing that data is used for is to compare with an internally-generated hash. Even if I write in C, I can use strncmp() for the compare. :-)

I believe that sshd, even after those two recent holes, is much more secure than any new code you might write now.

But the proposed program is attempting a much less complex job.

Don't panic - upgrade sshd every time a hole is found, it's not that often compared to most other software.

I don't want to be rooted when that does happen, though. I don't want to have to frantically rush to install a new update when such a problem is found, too. If I'm on vacation, I'm content to let it wait until I get back. If sshd isn't running, I can do that.

A mirror for Brian

[Wee]

I emailed Brian (I don't have AIM) and got the location of his limited bandwidth packages. I put them on my server: http://27.org/ssh/. I'll remove those files and redirect requests to Red Hat's errata page when they have official packages.

If using binaries/source from non-vendors weirds you out, you can also grab the RPMs for RH9, or the SRPMs for other releases (and presumeably other distros like SuSE, Mandrake, et al. as well) directly from the OpenBSD guys. The only US mirror which had them (as of this morning when I heard about the announcement) was ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/por table/rpm/. I didn't look through the international mirrors, but I got pretty good speeds from across the country.

-B

The only secure server

[Baron_Yam]

Until a certain Hollywood director sends a couple of subs down to make a movie about it...

My ISP too

[scruffyMark]

They haven't said anything about why they're blocking port 22 - I'm with Telus in Alberta, and they're pretty uncomunicative - but they blocked port 22 just about an hour or two ago. I was actually in an ssh session to my home computer, and all of a sudden it dropped. Nmap confirmed the port is now filtered, not that the server died on my machine.

liar. (other Full-Disclosure archive links)

[Alejo]

Can't see anything at the full disclosure mailing list poiting anything serious. Only a priv mail from theo stating the bug doesn't look exploitable for now.

Do you trust anybody posting something they've heard? The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit). And afterwards he says "The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH.". Note he is loosing it, the exploit FUD without base... and all ppl there start to talk about the bug as a fix against an exploit, though *nobody*, not even Theo's nemesis Darren Reed, mentions there is an exploit on the loose.

So FU** YOU. You scare ppl, you hide that and to d o so spread more fud by making wrong paraphrasing of the mailing list, hiding behind the slashdotted main archive.

SO BAD THERE ARE OTHER ARCHIEVES AROUND.

Re:liar. (other Full-Disclosure archive links)

[Oestergaard]

Can't see anything at the full disclosure mailing list poiting anything serious. Only a priv mail from theo stating the bug doesn't look exploitable for now.

So that must mean that what I read did not exist?

Try here

That is the message that describes that privsep was enabled - a few messages before, the ISP incidents are described.

Do you trust anybody posting something they've heard?

No, and neither should you.

But tell me, why would I deliberately lie?

The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit).

Yes, that mail states that they are blocking *because* they had several boxes rooted from what *seemed* to be an sshd exploit.

Can you read at all?

So FU** YOU.

Charming.

I am sure that if you could count, you would tell me in how many ways as well.

SO BAD THERE ARE OTHER ARCHIEVES AROUND.

*plonk*

I don't know what you are smoking, but I will try to avoid your dealer.

I see *nothing* in what you wrote above, that casts any doubt on the correctness of what I posted. It was doubtful whether privsep would prevent the bug, and I stated that in the post to keep it correct.

What's your point? So far you've called me a liar, become my first slashdot "freak", and blurted all sorts of things about how unfair the world is to you. Why is it that we need to care about your oppinions? Do you have an oppinion at all? What are you trying to tell us here?

Re:Ermm.. can anyone say "Microsoft"

[pmz]

Or are we still using the term "Windows hole" when referring to Outlook?

I prefer the term "Microsoft hole" when referring to any of their rushed-to-market products.

RedHat SRPMS already updated?

[tyler_larson]

I downloaded openssh-3.1p1-10.src.rpm from rhn.redhat.com for RH 7.3. And I found in the SOURCES directory the file openssh-3.1p1-buffer-size.patch. A quick look at the contents of the file reveals:

RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
@@ -69,6 +69,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;

if (len > 0x100000)
@@ -98,8 +99,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
+ fatal("buffer_append_space: alloc %u not supported",
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}

If I'm not terribly mistaken, that patch fixes the hole in question. So if they already have the patched SRPMs posted, why can't they have the patched RPMs there too? (as of this posting, they don't yet.)

Well, looks like it's time to install the -devel packages and get to work with rpmbuild.

My computer's immune!

[slimey_limey]

I have the network cable unplugged. HA! Beat _that_, crackers!

Exploit code

[menders]

...does anybody have it? I need to see if my 2.2.0p1 installations are vulnerable. It appears they are after reviewing the changes made to buffer.c, but I need to verify that. Somebody, please?

Re:Exploit code

I can help you. Give your IP and I'll test your boxes for you.

Re:ARREST PARENT

[glenebob]

FOR CIRCUMVENTION!

really safe....

[smitty45]

1. temporarily wrap and firewall telnet services from your known and good IP.
2. login with telnet, upgrade ssh
3. test sshd and ssh
4. stop telnet from xinetd/inetd

RedHat errata

[Etyenne]

RedHat released their errata about 1.5 hours ago :

https://rhn.redhat.com/errata/RHSA-2003-279.html

Patch ... NOW !!!

up2date-nox

[CrackerJackz]

FYI: patched RPMs are available via up2date from RedHat, its patching time again ;)

Spin control

[t0ny]

Somebody needs to work in a "this is Microsoft's Fault!!!" angle. Come on, this is slashdot; you guys are letting me down.

Re:Spin control

[henrygb]

Why Microsoft? SCO own Linux - it must be their fault.

I am safe!

[Sediyama]

You have to overflow a 0xa00000 buffer, or a 160 Mb buffer. It would take a lifetime with my poor link!

Lonely nights

[greygent]

Thank the lord patching my FreeBSD servers is as easy as patching Windows servers with Windows Update!

'make world' is so quick and easy my grandmother can do it, and I don't have to spend all night waiting for the entire system to recompile.

Oh wait.

Anyone have Redhat 6.2 or Mandrake 8 RPMS?

[tk422]

Anyone have Redhat 6.2 or Mandrake 8 RPMS? these boxes are so old the compiling of the RPMS isnt working. Thanks in advance.

Re:Anyone have Redhat 6.2 or Mandrake 8 RPMS?

I just downloaded the RH7 SRPM from RHN (openssh-3.1p1-9.src.rpm) and added the openssh-3.1p1-buffer-size.patch from it into my RH6 SRPM and rebuilt. No problems.

Server Hole Only, not Client or Protocol problem

[billstewart]

The articles and patches all imply that it's a server-side problem only, and not a client-side problem or a protocol problem. So you'll need to upgrade your SSHD if you're running one, but you won't have to update your clients (e.g. putty on Windows, openssh if you're only a client, etc.)

If I've missed something critical here, please reply, but it looks pretty well documented.

mod parent up please

[andreas]

The README in question is indeed gone, so the above seemed to have been Niels. Please mod up somebody!

Re:mod parent up please

[mkldev]

Or somebody rooted Neils's box due to an OpenSSH exploit.... :-D

MOD PARENT DOWN

[miu]

-1 (I know I'll get modded down for this...)

Posters: whenever you feel the urge to type that phrase, please reconsider.

Mods: whenever you see someone has given in to temptation and used that phrase, please justify it and mod that post down.

Re:Command to see what version is running...

[planckscale]

FYI, the command to find out which version of ssh is running, type:

ssh -V

My results were

OpenSSH_3.4p1 Debian 1:3.4p1-4, SSH protocols 1.5/2.0, OpenSSL 0x0090607f

This is the version I have after doing an "apt-get update". Is this the version I need? Do I need to re-start the daemon to get the newest version or am I good 2 go?

Gardner advisor

[JamesP]

Gardner group advises everybody that, in face of this major security problem, that everybody should move to windows.

RedHat patch released

[ivanmarsh]

RedHat has already released a patch through up2date for this.

Mandrake update

[lone_marauder]

Word from Mandrake is that a patch should be on their mirrors in about an hour.

Re:Mandrake update

is the official Mandrake announcement.

Dr. Evil says...

I've got a whole bag of Ssh with your name on it!
That was a pre-emptive Ssh!

here is how I fixed mine w/out RPMs

[tcpiplab]

Of course, do this at your own risk, but it worked for me on RH8, before the RPMs were realeased, so I did it the old fashioned way.

First you need the latest version of OpenSSL:

http://www.openssl.org/source/openssl-0.9.7b.tar .g z

$tar -zxvf openssl-0.9.7b.tar.gz
$cd openssl-0.9.7b.tar.gz
$make
$make test
$make install

If you haven't stopped sshd yet, then do this:

$/etc/rc.d/init.d/sshd stop

Then you need to get the latest version of OpenSSH:

Go to one of the mirrors listed at:

http://openbsd.groupbsd.org/openssh/portable.htm l

I've found this one to be realiable:

ftp://rt.fm/pub/OpenBSD/OpenSSH/portable/

And download this file:

openssh-3.7p1.tar.gz

Then do the usual:

$tar -zxvf openssh-3.7p1.tar.gz
$cd openssh-3.7p1
$./configure
$make
$make install

And that should fix it. Just restart sshd:

$/etc/rc.d/init.d/sshd start

Then confirm that you're running the latest:

$ssh localhost -V

SSH should be 3.7p1 and SSL should be 0.9.7b

Re:here is how I fixed mine w/out RPMs

[windex82]

how the hell does this get "INTERESTING"!?

Thanks for the quick and to the point instructions and full links to all the files needed. I wish i had some points to mark this INFORMATIVE.

iptables and ipchains scripts to limit SSH access

[getnuked]

If you can't get to an update for your distro, here is a quick and dirty script for both iptables and ipchains based machines to limit SSH access to only specific IPs (replace 1.2.3.4 with the address you want to connect from, add more lines to add more hosts) - of course these only apply to Linux based machines with either iptables or ipchains in the kernel or available as modules:

iptables:

#!/bin/sh

insmod iptables

iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4
iptables -A INPUT -j DROP -p tcp --destination-port 22
iptables -A INPUT -j DROP -p udp --destination-port 22

ipchains:

#!/bin/sh

insmod ipchains

ipchains -F input
ipchains -P input ACCEPT
ipchains -A input -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4
ipchains -A input -j DENY -p tcp --destination-port 22
ipchains -A input -j DENY -p udp --destination-port 22

Slackware Advisory

[Eric+Destiny]

[slackware-security] OpenSSH Security Advisory (SSA:2003-259-01)

Upgraded OpenSSH packages are available for Slackware 8.1, 9.0 and
- -current. These fix a buffer management error found in versions of
OpenSSH earlier than 3.7. The possibility exists that this error
could allow a remote exploit, so we recommend all sites running
OpenSSH upgrade to the new OpenSSH package immediately.

Here are the details from the Slackware 9.0 ChangeLog:

Tue Sep 16 11:13:05 PDT 2003
patches/packages/openssh-3.7p1-i386-1.tgz: Upgraded to openssh-3.7p1.
From the OpenSSH Security Advisory
(http://www.openssh.com/txt/buffer.adv):
"All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively."
(* Security fix *)

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackw are-8. 1/patches/packages/openssh-3.7p1-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackw are-9. 0/patches/packages/openssh-3.7p1-i386-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/s lackware-cu rrent/slackware/n/openssh-3.7p1-i486-1.tgz

MD5 SIGNATURES:

Slackware 8.1 package:
a86d410e47fe8ab4a8e9f04293a94093 openssh-3.7p1-i386-1.tgz

Slackware 9.0 package:
ca1d0b1e658c5391067f2a9cf11fc239 openssh-3.7p1-i386-1.tgz

Slackware -current package:
c58003eaaf4362c8475f0f5a77f2adbb openssh-3.7p1-i486-1.tgz

INSTALLATION INSTRUCTIONS:
(This procedure is safe to do while logged in through OpenSSH)

Upgrade using upgradepkg (as root):
# upgradepkg openssh-3.7p1-i386-1.tgz

Restart OpenSSH:
. /etc/rc.d/rc.sshd restart

Compiling error

[Jesus+IS+the+Devil]

When compiling the source code I get the following error. Anyone have a clue on how to fix this? I'm trying to apply the update on a redhat 6.2 machine (patched and updated):

gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/s sh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-serv er\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keys ign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-he lper\" -DHAVE_CONFIG_H -c cipher.c
cipher.c:68: warning: initialization from incompatible pointer type
cipher.c:69: warning: initialization from incompatible pointer type
cipher.c:73: warning: initialization from incompatible pointer type
cipher.c:74: warning: initialization from incompatible pointer type
cipher.c:75: warning: initialization from incompatible pointer type
cipher.c:76: warning: initialization from incompatible pointer type
cipher.c: In function `cipher_init':
cipher.c:230: warning: assignment discards `const' from pointer target type
cipher.c:209: warning: unused variable `klen'
cipher.c: In function `cipher_get_keycontext':
cipher.c:403: warning: comparison of distinct pointer types lacks a cast
cipher.c: In function `cipher_set_keycontext':
cipher.c:418: warning: comparison of distinct pointer types lacks a cast
gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/s sh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-serv er\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keys ign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-he lper\" -DHAVE_CONFIG_H -c cipher-aes.c
cipher-aes.c: In function `ssh_rijndael_init':
cipher-aes.c:50: warning: assignment from incompatible pointer type
cipher-aes.c: In function `ssh_rijndael_cbc':
cipher-aes.c:78: warning: assignment from incompatible pointer type
cipher-aes.c: In function `ssh_rijndael_cleanup':
cipher-aes.c:116: warning: assignment from incompatible pointer type
cipher-aes.c: In function `ssh_rijndael_iv':
cipher-aes.c:129: warning: assignment from incompatible pointer type
cipher-aes.c: In function `evp_rijndael':
cipher-aes.c:147: warning: assignment from incompatible pointer type
cipher-aes.c:148: warning: assignment from incompatible pointer type
cipher-aes.c:149: warning: assignment from incompatible pointer type
cipher-aes.c:151: structure has no member named `flags'
cipher-aes.c:151: `EVP_CIPH_CBC_MODE' undeclared (first use in this function)
cipher-aes.c:151: (Each undeclared identifier is reported only once
cipher-aes.c:151: for each function it appears in.)
cipher-aes.c:151: `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this function)
cipher-aes.c:152: `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this function)
cipher-aes.c:152: `EVP_CIPH_CUSTOM_IV' undeclared (first use in this function)
make: *** [cipher-aes.o] Error 1

Re:Compiling error

[$0+31337]

Try upgrading the the most recent version of OpenSSL

REAL Security

[Bilbo]

> The only way to protect yourself from unwanted outside connections is with correct crypto code.

SECURITY 101: The only way to really protect yourself from unwanted connections from the outside world is to unplug from the network. Of course, that's hard if you're trying to build a Web Service. Even that isn't a guarantee if you can't provide physical security to prevent access to the system console. There's a handy little floppy boot disk I've seen that will break into any Windows box made, though it won't help you if the file system is encrypted. I have a feeling there are similar exploits possible on Linux or other UNIX systems if you can get to the physical box.

Point being, security is a question of choices and compromises. What series of choices (such as leaving a ssl port open or closed) gives you an acceptable risk, and still allows you to do what you need to do?

RPMs for Red Hat Linux 7.1 and 7.2?

[antdude]

What's the best way for these two old versions? I cannot compile due to CPU stress problem (need to fix it) and kernel panics. Have not figured out why it is crashing. I can do a rpm upgrade without problems. I thought I could use Red Hat's RPMs but theirs are older and I noticed I have newer versions:

openssh-askpass-3.4p1-1
openssh-server-3.4p1-1
openssh-clients-3.4p1-1
openssh-askpass-gnome-3. 4p1-1
openssh-3.4p1-1

rpmfind.net doesn't seem to have v3.7 yet. Thank you in advance.

Re:RPMs for Red Hat Linux 7.1 and 7.2?

Get the new ones off Red Hat's site. They will say 3.1p1 (see here for why) instead of 3.7, but they do contain all current security fixes.

Re:BEAT CHILD

NOOP

Re:Command to see what version is running...

[cjwatson]

You're out of date by nearly a year. 'apt-get update' only updates your local package lists, it does *not* upgrade packages. You need to upgrade to 3.6.1p2-7.

SuSE-Update

[stesch]

[suse-security-announce] SuSE Security Announcement: openssh (SuSE-SA:2003:038)

Re:Ermm.. can anyone say "Microsoft"

just that the time-to-fix is much shorter

Funny, they don't mention when they found the bug. They just mention that they did find the big and figured that they'd fix it for the 3.7 release. This wasn't a patch. Who the fuck knows when they discovered this.

that applying these fixes to running systems is usually much easier (in most distributions) than in a Windows system

Easier? Yeah, apt-get is easy, but not easier than 2 mouse clicks. Oh, that's mouse clicks if I want to update all 250 workstations in this company at once. Fuck, my fingers are tired.

no reboot required

Great, so the exploited version of the daemon is still in memory executing? You only need to reboot Windows for a patch if the files being patched are currently in use. This ensures that the old ones aren't lingering in memory.

one location for all necessary fixes

www.windowsupdate.com

Okay, maybe two, www.officeupdate.com, but to a lesser extent.

I don't think that it is unreasonable for Microsoft's customers to demand better patch/upgrade management

I don't think it's unreasonable to expect administrators to READ THE FUCKING MANUAL and actually learn how to use the products in question. It's funny how I, one person, can keep 250 Windows 2000 and Windows XP boxes up to date (zero viruses/worms in the past year, thank you) and spend maybe 10 minutes a month doing this, yet you seem so flustered. What exactly are you doing wrong?

Mandrake updates are available

[BigGerman]

http://www.mandrakesecure.net/en/advisories/adviso ry.php?name=MDKSA-2003:090

Re:Command to see what version is running...

[planckscale]

Thanks - I'm still somewhat newbie, but do I want to do an

apt-get upgrade ssh

or

apt-get install ssh

or

apt-get upgrade

I'm worried that doing a complete upgrade (apt-get upgrade) will upgrade everything causing my system to freak out like it did the last time I tried to upgrade my version of debian unstable.

I'm not taking any chances

[eap]

I'm disabling ssh and using telnet until the patches come out. Just try and crack my box now you stupid ha%$&$#*^%$^&*

NO CARRIER

plonk?

[Alejo]

One of the original posts in one of the threads stated, that there had been multiple successful attacks at an ISP which seemed to be SSH related. In this case they did run with privilege separation enabled.

Did you read the "from" addresses? you are talking about 2 different sources, claiming stuff without *any* precission. (all following is asuming these are truly from more than one guy having fun)

Does anyone know of or have source related to a new, and unpublished exploit? An ISP I work with has filtered all SSH connections due to several root level incidents involving ssh. Any information is appreciated.

So it isnt a first hand report, and the guy doesn't say the incidents are related to this ISP. And he is *asking* if someone knows if there is an exploit. This initiating mail has as subject "new ssh exploit?", see the punctuation at the end of it? But there is more on the followup from the same guy:

More on this; The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH. The attack makes an enormous amount of ssh connections and attempts various offsets until it finds one that works permitting root login. I have received numerous messages from folks requesting anonymity or direct-off-list-reply confirming this exploit; The suggestions I have heard are: Turn off SSH and 1. upgrade to lsh. or 2. add explicit rules to your edge devices allowing ssh from only-known hosts. or 3. put ssh behind a VPN on RFC-1918 space. thanks.

Are you blind? Doesn't that "upgrade to lsh" bullsh** ring a bell on your brain? Or the nonsense of blocking ssh protocol altogether? Or the VPN craze?

*Other* ranter follows up:

Reported, Privsep was setup on the machines. I wouldn't know if they have tcpdumps, but I would assume they have logs. Just what I've heard by proxy. -Justin

Unless they know each other or something, or this guy works at the ISP in question, wich they didn't imply, they are just spreading unbased gossip. On *what* machines were privsep up? Do you think that enumeration of vulnerable OSs is based on attacks?

You claim that the poin of your post is to state that "it looks like" privsep didn't help. Do you base it on *this* unbased, quite suspicious rants?

I am *not* saying there is no exploit, nor privsep does or doesn't help. The point of *my* post was to show other ppl your overrated post is, for me, just plain old FUD. And instead of just claiming it as you do, I give the links so the readers decide themselves.

I am a slashdot freak, since most of /. posts are like yours, just propagation of FUD. I just put my poin of view as challengeable, and *base* my opinion on something.

event concluded...

[lone_marauder]

Okay, Mandrake just released the patches, and all my boxen are upgraded. That rounds out all of the major free software distros. So much for that.

(glances up at the MS vs. Linux scoreboard) How many power grids did we lose on that one?

Thanks

[TLouden]

I trust that my Linux box with all the security built in and added is safe but until this gets resolved and I can aplly a patch I've turned off ssh just to be safe. Thanks for the warning. My logs look clean.

anyone ACTUALLY confirm exploitation?

Just curious if anyone here has ACTUALLY managed to exploit it?

Myself and a few others have been working on it for a couple of hours thus far, and the attack vector is not apperent at all. While i would very much appreciate a hint, a simple truthfull confirmation that it indeed IS exploited will suffice. The platform, OS, and version will help as well. Replies either here or

xaiou At Info.ba

Mac OS X vulnerability

[Tancred]

As others have pointed out, OS X seems vulnerable. No update is available as on Tuesday evening 7pm EST. To disable remote login via SSH in the meantime, go to System Preferences, Sharing, and unselect Remote Login.

Re:Mac OS X vulnerability

[ChicagoBiker]

I'm not sure if being PPC has anything to do with this one way or another (as the poster below/above mentioned) and yes, SSHd is turned "off" by default in OS X, however, for those of us using it, it's troubling to be in the dark about whether this affects us or not. Luckily Apple is pretty good about this stuff, so if it does, an update should be along any minute now.

Also I would like to point out that the latest version of Mac OS X (10.2.6) is using version 3.4pl of OpenSSH. Not sure if there are any other bug fixes between that and 3.7 that we should be worried about too.

Architecture specific bug?

[Xyde]

I don't feel like sorting through 783 messages at the time of post, but is this bug x86 specific? Would sshd on 68k or PPC be vulnerable? *worried about his OS X installation*

3.7.1 out already

[Dahan]

Man, I just upgraded to 3.7 this morning, and now 3.7.1 is out:

Security Changes:
=================

All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.

OpenSSH 3.7 fixed one of these bugs.

OpenSSH 3.7.1 fixes more similar bugs.

Time to upgrade again...

Don't panic (was: Re:Mac OS X vulnerability)

[k2r]

Just to point it out: Since Remote Login is disabled by default, OSX is _only_ vulnerable if you switched it on.
And since it's PPC it doesn't seem very likely that there will be an exploit available before Apple releases a fix - or did I get something wrong?

So don't panic, just use SoftwareUpdate as soon as the patch is available.

k2r

OpenSSH 3.7.1 released...

[Craig+Davison]

From an openssh-unix-announce posting:

Security Changes:
=================

All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.

OpenSSH 3.7 fixed one of these bugs.

OpenSSH 3.7.1 fixes more similar bugs.

Time to patch & upgrade for the second time today?

Re:Update for debian unstable??

[alexandre]

3.6.1p2-7 is out ... :)

Re:Uh oh - no funny

[ashkar]

True, I wish I could mod you up and the fucking funny guy down. First time: hahaha; second time: yeah, what ever; every other time: DIE, YOU STUPID FUCKING CUM GUZZLER!!!

GNU lsh

I would never accept software with so many holes as openssh. Rumor says these exploits have circulated for the past 6 months. From now on I will only use GNU lsh! It is SSHv2 only software and have NOT had any remote exploits!

for mandrake users

[Wycliffe]

For mandrake users, check out:


http://www.mandrakesecure.net/en/ftp.php

Ironic timing!

[adrianbaugh]

This gets announced so soon after the new nmap, which will make it easier for both white and black hats to find vulnerable hosts. I'm not saying it's good, I'm not saying it's bad - but now's the time to find those hosts, black hat or white hat!

Inane comments by Theo's fanboys

[David+Jericho]

Oh god not again... The lengths some people will goto to try and damage Theo's pride.

What a stupid comment. Totally and utterly stupid.

OpenSSH is considered by many to be a core service, right up there with the kernel. If there is an exploitable bug in OpenSSH, there is a bug in OpenSSH. Plain and simple. It becomes important that we know about the potential bugs.

It's not an attempt to discredit Theo, or is it nitpicking at the OpenSSH service. I'd prefer these were found and fixed, rather than them being left unknown in order to keep Theo's ego inflated.

Discredited coding idioms

[Jeremy+Wohl]

You have to wonder how OpenBSD audits allowed thoroughly discredited coding idioms to remain in critical security software. Manual buffer and string management is the principal cause of overflow grief. Yet here we have at least five examples (as of the 3.7.1 patch) of both manual and repeated abuse. The latter is more troubling: apparently there was not even incentive to abstract these routines and fix them centrally, but to sprinkle such pre-1980 thinking throughout.

If only Dan would write a secure shell package.

not worried...

... i can't even get sshd running LOL

debug2: read_server_config: filename /etc/sshd_config
debug1: sshd version OpenSSH_3.7.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: setgroups() failed: Invalid argument
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from ::1 port 49553
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p1
debug1: match: OpenSSH_3.7.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p1
debug2: Network child is on pid 11540
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 75:75
debug1: permanently_set_uid: 75/75
setreuid 75: Operation not permitted
debug1: Calling cleanup 0x26e14(0x0)

Re:not worried...

have i mentioned you slashdot moderators can go fuck yourselves
i cant get modded up if jesus came back with mod points

fixed in a day

[SanityInAnarchy]

I noticed the update about the patch was posted just about exactly a day after the original post about the exploit.

Slashdot is usually current enough, though not always.

But fixed in a day! I have NEVER seen Microsoft come close! Most Windows Updates come MONTHS after the security issue was discovered!

I think that's a score for Open Source.

Re:Command to see what version is running...

[glesga_kiss]

Do:

apt-get update

apt-get upgrade

The first updates the package database, the second does the package download & install.

I'm not entirely sure why it's not cron'ed by default. Does anyone know why, or is there any reason why you shouldn't do it?

New "grave" Debian Bug issued urging 3.7.1 upgrade

[Col_Panic]

Take a look at

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug =2 11324

Which notes:

the OpenBSD project have released OpenSSH 3.7.1 which contains further updates for similar issues to the one fixed by OpenSSH 3.7. While they do not know if these bugs are exploitable (which they also said about the 3.7 buffer.c update) it may be worth investigating the additional updates in 3.7.1 and seeing if any of them are applicable to the versions in Debian, and if so reissuing the security update. (The diff between 3.7 and 3.7.1 is short and only seems to contain the potential security fixes.)

Which makes me wonder if the patches that are currently being distributed won't need to be updated agian very quickly.

Re:New "grave" Debian Bug issued urging 3.7.1 upgr

I thought only Microsoft Operating systems had exploitable holes.

I don't understand. ??

Buffer overloads & stuff - isn't that only in Windoze XP ?

Dudes - I'm gonna have to deL33t my Linus OS and reinstall Bill OS...

redhat 6.2

[braddeicide]

3.7 is out? oh, err, i'm still running 3.4

No, i'm not leaving any indication of my domain :)

Um

[devphil]

Shouldn't the kernel be wiping pages when it hands them to new processes?

Hmmm... possibly not. This is a topic of some debate, apparently.

Re:Um

[defile]

Shouldn't the kernel be wiping pages when it hands them to new processes?

Hmmm... possibly not. This is a topic of some debate, apparently.

There's no debate at all.

A process cannot see another process's memory without kernel intervention. By default memory that is handed to a process is zeroed out (unless it is from a file mapping).

This is done on demand of course. If you malloc() 100MB of memory the kernel won't take 100MB of pages and set them all to zero, only the ones you touch for the first time.

Mandrake

[Dribbitz]

OpenSSH 3.7 is available from Mandrake Update (via RPMdrake).

Re:Update for debian is 1:3.4p1-1.1

[DA-MAN]

LOL! Ok, cool. Let's backport everything from Kernel 2.4 to 2.0 so it's both stable and secure!

I remember for the longest OpenBSD actually shipped with BIND 4, while BIND 9 was out. That's hilarious how long some vendors will keep backporting releases that even the authors have given up on.

Re:Server Hole Only, not Client or Protocol proble

The problem was in buffer.[ch], which contains openssh's buffer structure and related functions. This is used in both the client and server. So, in short it is possible that both the client and server are vulnerable to exploits.

Gentoo emerge history

[Dalcius]

I read your post and thought to myself, "this was fixed before the exploit? I upgraded my system a few weeks ago, I wonder if I got 3.7?"

Instead of going to figure out when 3.7 was released (could have been today for all I know, I didn't read everything this article linked to), I went looking for how to track my emerges and I found:
this.

Hope this informs someone else.

Cheers

He doesn't need to upgrade to 3.6 for stable

[detritus.]

From Debian's
security advisory:

This bug has been fixed in upstream version 3.7. For the Debian stable distribution this bug has been fixed in version 1:3.4p1-1.1.

Telling him to upgrade to 3.7 could easily send him into unstable, which he stated he didn't want.

RedHat non-Up2date method (wget)

[jroysdon]

Verify what version of RedHat you have:

$ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)

Then pick the right section to run:

wget ftp://updates.redhat.com/7.2/en/os/i386/openssh-3. 1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-as kpass-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-as kpass-gnome-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-cl ients-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssh-se rver-3.1p1-10.i386.rpm
rpm -Fvh openssh*
/etc/rc.d/init.d/sshd restart

wget ftp://updates.redhat.com/7.3/en/os/i386/openssh-3. 1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-as kpass-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-as kpass-gnome-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-cl ients-3.1p1-10.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssh-se rver-3.1p1-10.i386.rpm
rpm -Fvh openssh*
/etc/rc.d/init.d/sshd restart

wget ftp://updates.redhat.com/8.0/en/os/i386/openssh-3. 4p1-5.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-as kpass-3.4p1-5.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-cl ients-3.4p1-5.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/openssh-se rver-3.4p1-5.i386.rpm
rpm -Fvh openssh*
/etc/rc.d/init.d/sshd restart

wget ftp://updates.redhat.com/9/en/os/i386/openssh-3.5p 1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askp ass-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-askp ass-gnome-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-clie nts-3.5p1-9.i386.rpm ftp://updates.redhat.com/9/en/os/i386/openssh-serv er-3.5p1-9.i386.rpm
rpm -Fvh openssh*
/etc/rc.d/init.d/sshd restart

Mind the line wrapd and stupid slashdot spaces.

Re:RedHat non-Up2date method (wget)

depending on your firewalling solution, you may need to use:

wget --passive-ftp

duh

because everyone runs SSH over UDP...

Re:iptables and ipchains scripts to limit SSH acce

pf:

pass in quick inet proto tcp from 1.2.3.4 to any port 22 keep state
block in quick inet proto { tcp, udp } from any to any port 22

Oh wait, Linux users like things to be excessively cryptic... ;)

Well, ya see...

Jim Carrey was in Man on the Moon with Gerry Becker.
Gerry Becker was in Trapped with Kevin Bacon.

Burt Reynolds is easy: Burt and Kevin both starred in Starting Over.

Re:Well, ya see...

[eatdave13]

I still love this game :P

When to expect 3.7.0 aka 3.7.256?

[monas]

Just a tought :-)

Re:Command to see what version is running...

[NiteHaqr]

Sometimes the upgrade will require user intervention, so unsupervised is NOT recommended by me - YMMV.

No reason not to add this to your CRONTAB tho, just be aware that there may be problems.

Just updated 3 boxes via remote ssh connection!

Try that with windows!
I updated them while I was ssh'ed in from remote, wasn't worried about restart, restart, or crashes or screwing up other "patches" like MS products.
Just restarted sshd, and the connection I had was still there! How about that?
You windows people have no clue how cool this is, no crashes for months, this is way cool, you should try it.
Wait! It will warp your mind, so stay ignorant.

ssh problem ?

[sarragorn]

One of my servers got hacked by sniffing ssh v1 passwords and/or downgrading v2 connections to v1 if the server version is 1.99 it did the sniffing by first arp poisoning the server collocation switch. The source is something called poison.c if u in the mood for a few google searches. The thing is that v2 connections were downgraded even after upgrading to the latest openssh (if both v1 and v2 negociation is enabled in config) Maybe this is related somehow to the "bug but none known exploits" affirmation ?!

SCO claims IP rights to vunerable code

In related news, SCO is claiming the vunerable code in openssl was originally copied from the SCO sources.

Re:iptables and ipchains scripts to limit SSH acce

[etm]

An other temporary fix with iptables could be done with the recent module [1] by doing iptables -A FORWARD -p TCP --dport 22 --syn -m recent --name SSHCHECK --set iptables -A FORWARD -p TCP -i eth0 --dport 22 --syn -m recent --hitcount 20 --update --name SSHCHECK --seconds 60 -j DROP This way more than 20 SYN connection attempts per minute per IP will lead to blacklisting for as long as the potential attacker keeps hammering with connections. After 60 seconds of inactivity the IP will be delisted from the backlist. This could be useful as a script kiddie exploit will probably try lots of successive connections to cause the memory corruption [1]: http://snowman.net/projects/ipt_recent/

Re:iptables and ipchains scripts to limit SSH acce

[etm]

Sorry, first post to /. , HTML format standard and too used to BBs with auto br

Let's try this again:

An other temporary fix with iptables could be done with the recent module [1] by doing

iptables -A FORWARD -p TCP --dport 22 --syn -m recent --name SSHCHECK --set
iptables -A FORWARD -p TCP -i eth0 --dport 22 --syn -m recent --hitcount 20 --update --name SSHCHECK --seconds 60 -j DROP

This way more than 20 SYN connection attempts per minute per IP will lead to blacklisting for as long as the potential attacker keeps hammering with connections. After 60 seconds of inactivity the IP will be delisted from the backlist. This could be useful as a script kiddie exploit will probably try lots of successive connections to cause the memory corruption

[1]: http://snowman.net/ projects/ipt_recent/

If anyone needs an extra set of hands...

[fries]

I'm available to help people upgrade.

Re:DADDY STOP

en tea

Re:Server Hole Only, not Client or Protocol proble

[NumbThumb]

Not really, since you (obviously) can't connect to the client from the outside -- thus you can't attack it.
The only way i can think of in which the client could be attacked is if the server was rooted or it's DNS/IP was hijacked, which is possible but rather unlikely. You rather see a lot of "scan and exploit" type of attacks, these days.

oh shit, more helicopters

[SHEENmaster]

I thought OBSD would keep me same fram them!

(good job theo; great OS/distro)