New ssh Exploit in the Wild

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

Uh oh

Best patch and upgr..&*[NO CARRIER]

Hooray!

[TheQuantumShift]

New manifestations of Job Security for us techs!

Public Service

[Morologous]

Posting this to slashdot is actually a public service, as the exploit description will be /.'d and unable to effectively be disseminated to the bad actors.

Telnet

[Henry+V+.009]

Thank god I'm using something secure like Telnet instead.

Re:Telnet

[fliplap]

too bad you're running a stock Solaris installation!

Re:Telnet

if you want to save money you can just get a pair and then breed your own bandwidth.

This is why I refuse to use ssh.

[91degrees]

I mean really - telnet is perfectly secure unless you use a direct connection. Use of a quantum tunnelling encryption layer and probabilistic key generation means you get the maturity of telnet with a greater level of security (I'm talking non-recursive factorial strenth here).

ssh is just for losers who can't set up teransparent network layering.

bugs??

[maximum_high]

Is it the same bug that requires me to type the full word "yes" or "no", and not shortcut keys 'y'/'n', when I want to connect to a remote server??

=)

Re:bugs??

Apparently so. If you type r00t! instead then SSH will connect to the remote server and log you in as the root user, without a password! Its amazing no one has noticed this before.

guess who

[dwakeman]

Damn trinity and her sshnuke...

I saw this exploit used

[teamhasnoi]

I was at the local library, and some kids were on a computer, talking loudly. They seemed to be rather excited about something.

A librarian peeked around the corner to see where the noise was coming from, then put her finger to her lips and said, "Ssh!"

The kids ignored her and kept talking, completely and utterly exploiting the hole, and circumventing the 'Ssh'!

Never was I so frightened.

Re:Suggestions for a newbie?

There is no reason to be running SSH daemon on a desktop machine, especially one where you are always root. open a console and type 'netstat -a | grep ssh', if it's running mail Lindows support and tell them they are morons from AC on \.

Re:Suggestions for a newbie?

I'm afraid it means that everything you've installed so far is corrupt, and all your efforts have been wasted. Quickly now, go to your nearest office supply store, get a copy of Windows XP and start over, before the damage spreads!

Obligatory programming joke

[worst_name_ever]

The lengths some people will goto

Remember to use long jumps if you want to goto more than 255 bytes of pride-damaging.

Re:Suggestions for a newbie?

[p3d0]

tell them they are morons from AC on \.

On backslashdot?

I fail to see....

[Damon+C.+Richardson]

"disseminated to the bad actors." I fail to see what Burt Reynolds has to do with it.

Re:Ermm.. can anyone say "Microsoft"

[Rhys]

Ignoring the unix updating tools, it's hard to update.

No kidding. Let me guess, ignoring the sun, it's dark?

WOW!!

[narratorDan]

I just read all these replies (about 15 right now) and all of them are nice and respectfull of the fact that this guy is a newbie!
I must be on the wrong site.

NarratorDan

Re:deceit

[danormsby]

Ssh, don't tell anyone.

Re:Does this effect Cygwin???

[funkman]

You are already running windows. You have more serious problems.

This is precisely...

[devphil]

...why I always go back and add security holes to all of my programs. If some future (or current) anti-regime hacker needs to be able to break into a local power plant, I want to make sure my code can help!

[I considered signing this post "love, Theo" but then thought better of it.]

Re:MOD PARENT DOWN

[Syberghost]

A demonstration would be nice.

It'd serve you right if he gave you one. :-)

Re:install base

[ryanvm]

The only really secure server is buried in concrete, unlugged and at the bottom of the deepest trench in the ocean. It's *probably* secure there, but I wouldn't bet my life on it.

That's okay, I will.

I bet this guy's life that a server on the bottom of the ocean is secure.

Re:Uh oh - no funny

[theLOUDroom]

Yeah those "NO CARRIER" jokes just aren't fun@~%4!.z^%r#$% NO CARRIER

Re:Suggestions for a newbie?

[metamatic]

Something you seem to have missed is that Linux is open source, making it much easier to find exploitable holes. Imagine how many exploits would be uncovered in Windows if we could read the source code.

In fact, you don't need to imagine it. Microsoft are on the record as stating that it's one of the reasons why they can't possibly reveal Windows source mode widely.

Theres little time

[JamesP]

1. Make lsh incompatible w SCO UNIX
2. ???
3. WTF?
4. Profit!!!

Re:GOOD!! Red Hat, fix your RPMs!!

[Zigg]

I think you mean:

Gentoo

emerge ssh

* GentooLamer has joined #gentoo
<GentooLamer> recompiling ssh right now, got some good pr0n to watch in the meantime
<fomit-instructions> yeah me too
<gcc-O9> I'm out of pr0n I compiled KDE last week

Re:Why all the lsh plugs?

OpenSSH has a BSD-license, LSH has a GNU-license.

It's must be a conspiracy by the GNU viral license advocates to wipe out "free"BSD licensed software!

Re:See this comment for BSD patch and info

[Jahf]

don't you automatically trust flyingbuttmonkeys.com?

Dr. Evil says...

I've got a whole bag of Ssh with your name on it!
That was a pre-emptive Ssh!

Re:mod parent up please

[mkldev]

Or somebody rooted Neils's box due to an OpenSSH exploit.... :-D

Re:not worried...

have i mentioned you slashdot moderators can go fuck yourselves
i cant get modded up if jesus came back with mod points