New ssh Exploit in the Wild

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Tuesday September 16, 2003 @03:07AM from the brace-for-impact dept.

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

9 of 754 comments (clear)

Min score:

Reason:

Sort:

Bits and pieces so far... by Oestergaard · 2003-09-16 03:15 · Score: 5, Informative

Yes, there is a vuln. in 3.6. You need to upgrade to 3.7 which was released today, to be safe (well, 'safer' anyway).

It will be 3.7p1 for us non-OpenBSD people.

It is a patch to one file, buffer.c, which fixes some allocation/offset stuff.

It seems that privilege separation does *not* help here - so get them systems patched (and firewalled)!
OpenSSH 3.7 Release Announcement by Tuck · 2003-09-16 03:37 · Score: 5, Informative

Rather than subject someone's server (like mine!) to a slashdotting, here's the full text of the announcement (slightly mangled to sneak past the lameness filter).

Subject: OpenSSH 3.7 released
Date: Tue, 16 Sep 2003 14:07:00 +0200
From: Markus Friedl
To: openssh-unix-dev _at_ mindrot.org

OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.

We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18

For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Security Changes:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.

OpenSSH 3.7 fixes this bug.

Changes since OpenSSH 3.6.1:

* The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.

* Rhosts authentication has been removed in ssh(1) and sshd(8).

* Changes in Kerberos support:

- KerberosV password support now uses a file cache instead of a memory cache.

- KerberosIV and AFS support has been removed.

- KerberosV support has been removed from SSH protocol 1.

- KerberosV password authentication support remains for SSH protocols 1 and 2.

- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.

* Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:

1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file

This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.

* SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).

* Removed implementation barriers to operation of SSH over SCTP.

* sftp(1) client can now transfer files with quote characters in their filenames.

* Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.

* Fix a number of memory leaks.

* Support for sending tty BREAK over SSH protocol 2.

* Workaround for other vendor bugs in KEX guess handling.

* Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).

* Automatic re-keying based on amount of data sent over connection.

* New AddressFamily option on client to select protocol to use (IPv4 or IPv6).

* Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.

* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.

* Portable OpenSSH:

- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.

- PAM support may now be enabled/disabled at runtime using the UsePAM directive.

- Many improvements to the OpenSC smartcard support.

- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in t

--
$ find /pub -beer "James Squire Amber Ale" -drink
Trust me... View the srpm by ChiefArcher · 2003-09-16 03:55 · Score: 5, Informative

I've released the SOURCE RPM...
you can always grab it and see for yourself..
I only changed buffer.c

Feel free to see for yourself..

I had to make all of these this morning to patch our systems..

ChiefArcher
Re:interesting comment on how to stop it... by andreas · 2003-09-16 04:01 · Score: 5, Informative

This is the README from 1998, talking about a beta version of lsh. Don't let age-old doumentation fool you.

lsh has grown mature since then, and has an excellent code quality. I recommend it. Any day over OpenSSH, after having looked at the code of both projects. Up-to-date documentation, as on the web page, or the README inside the tarball, doesn't contain the warning.
intentions are noble and MIRROR now by ChiefArcher · 2003-09-16 04:01 · Score: 5, Informative

you have an email address to...
and a resume www.briangannon.com
and the Source RPMS.

http://stradlin.com/ssh
if you do a diff on the sources, you will see I only edited buffer.c
my intentions are completely noble.
How can you really trust Redhat? One of the disgruntled developers could put a backdoor in a patch?

ChiefArcher
Another place to find the patch/bug advisory by vt0asta · 2003-09-16 05:05 · Score: 5, Informative

http://www.securityfocus.com/archive/1/337662/2003 -09-13/2003-09-19/0

--
No.
Re:GOOD!! Red Hat, fix your RPMs!! by opkool · 2003-09-16 05:29 · Score: 5, Informative

How to fix your RedHat box:

1.- Download the file openssh-3.7p1-1.src.rpm from any of the mirrors. For example:
ftp://ftp.easynet.be/openssh/portable/rp m/SRPMS/op enssh-3.7p1-1.src.rpm

2.- Build an .rpm for your RedHat Linux version:

# rpm --rebuild openssh-3.7p1-1.src.rpm

3.- Upgrade your OpenSSH packages:

# rpm -Fvh /usr/src/redhat/RPMS/i386/openssh-*.rpm

4.- Re-start your sshd daemon:

service sshd restart

5. Profit!^H^H^H^H^H errr, that's it.

Peace.
Fixed that ancient LSH README by Anonymous Coward · 2003-09-16 06:40 · Score: 5, Informative

Ooops, I had totally forgotten about that old copy of the README file in the ftp archive. After it was pointed out to me in private mail, I've replaced it with the current README. /Niels (LSH author)
iptables and ipchains scripts to limit SSH access by getnuked · 2003-09-16 08:32 · Score: 5, Informative

If you can't get to an update for your distro, here is a quick and dirty script for both iptables and ipchains based machines to limit SSH access to only specific IPs (replace 1.2.3.4 with the address you want to connect from, add more lines to add more hosts) - of course these only apply to Linux based machines with either iptables or ipchains in the kernel or available as modules:
iptables:
#!/bin/sh insmod iptables iptables -F INPUT iptables -P INPUT ACCEPT iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4 iptables -A INPUT -j DROP -p tcp --destination-port 22 iptables -A INPUT -j DROP -p udp --destination-port 22
ipchains:
#!/bin/sh insmod ipchains ipchains -F input ipchains -P input ACCEPT ipchains -A input -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4 ipchains -A input -j DENY -p tcp --destination-port 22 ipchains -A input -j DENY -p udp --destination-port 22