MSU Listserv

I have been following these reports this afternoon.  I was waiting for a good
report to share, and they just arrived.  I just sent the FreeBSD security
advisory to the msusec mailing list.  Here is the OpenBSD advisory.

From: Chris Wysopal <[log in to unmask]>
Subject: [VulnWatch] OpenSSH Security Advisory: buffer.adv


List:     openbsd-misc
Subject:  OpenSSH Security Advisory: buffer.adv
From:     Markus Friedl <markus () openbsd ! org>
Date:     2003-09-16 12:32:15
[Download message RAW]

This is the 1st revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7 contain a buffer
        management error.  It is uncertain whether this error is
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

2. Solution:

        Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c    26 Jun 2002 08:54:18 -0000      1.16
+++ buffer.c    16 Sep 2003 03:03:47 -0000      1.17
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+       u_int newlen;
        void *p;

        if (len > 0x100000)
@@ -98,11 +99,13 @@
                goto restart;
        }
        /* Increase the size of the buffer and retry. */
-       buffer->alloc += len + 32768;
-       if (buffer->alloc > 0xa00000)
+
+       newlen = buffer->alloc + len + 32768;
+       if (newlen > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
-                   buffer->alloc);
-       buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+                   newlen);
+       buffer->buf = xrealloc(buffer->buf, newlen);
+       buffer->alloc = newlen;
        goto restart;
        /* NOTREACHED */
 }


On Tue, Sep 16, 2003 at 01:59:38PM -0400, Uwe Rossbach wrote:
> Does anyone have a confirmation of this slashdot story and Full
> Disclosure posting. The only thing I noticed is that there is a new
> openSSH version (3.7) as of 5 am today on the server in Canada. The
> exploit looks for root access by trying a large number of accounts and
> connection requests. Leading to denial of service if not successful. Uwe
> Rossbach
>
>
>
> "
>
>
>  [Full-Disclosure] new ssh exploit?
>
> *christopher neitzert * [log in to unmask] <mailto:chris%40neitzert.com>
> /Mon, 15 Sep 2003 13:48:34 -0400/
>
>    * Previous message: [Full-Disclosure] new ssh exploit?
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
>    * Next message: [Full-Disclosure] new ssh exploit?
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
>    * *Messages sorted by:* [ date ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
>      [ thread ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
>      [ subject ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
>      [ author ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>
>
>
> ------------------------------------------------------------------------
>
> --=-sz+BJAPCz1yL37OtGOWm
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> More on this;
>
> The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
> running the latest versions of OpenSSH.
>
> The attack makes an enormous amount of ssh connections and attempts
> various offsets until it finds one that works permitting root login.
>
> I have received numerous messages from folks requesting anonymity or
> direct-off-list-reply confirming this exploit;
>
> The suggestions I have heard are:
>
> Turn off SSH and
>
> 1. upgrade to lsh.
>
> or
>
> 2. add explicit rules to your edge devices allowing ssh from only-known
> hosts.
>
> or
>
> 3. put ssh behind a VPN on RFC-1918 space.
>
> thanks.
>
>
>
>
> On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> >/ Does anyone know of or have source related to a new, and unpublished ssh
> />/ exploit?  An ISP I work with has filtered all SSH connections due to
> />/ several root level incidents involving ssh. Any information is
> />/ appreciated.
> />/=20
> />/=20
> /--=20
> Christopher Neitzert - GPG Key ID: 7DCC491B
>
> --=-sz+BJAPCz1yL37OtGOWm
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX
> +fZt/6hiarcw2KVtQq1i0Nk=
> =MaEF
> -----END PGP SIGNATURE-----
>
> --=-sz+BJAPCz1yL37OtGOWm--
>
>
>
> ------------------------------------------------------------------------
>
>    * Previous message: [Full-Disclosure] new ssh exploit?
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
>    * Next message: [Full-Disclosure] new ssh exploit?
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
>    * *Messages sorted by:* [ date ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
>      [ thread ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
>      [ subject ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
>      [ author ]
>      <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>