I have been following these reports this afternoon. I was waiting for a good
report to share, and they just arrived. I just sent the FreeBSD security
advisory to the msusec mailing list. Here is the OpenBSD advisory.
From: Chris Wysopal <[log in to unmask]>
Subject: [VulnWatch] OpenSSH Security Advisory: buffer.adv
List: openbsd-misc
Subject: OpenSSH Security Advisory: buffer.adv
From: Markus Friedl <markus () openbsd ! org>
Date: 2003-09-16 12:32:15
[Download message RAW]
This is the 1st revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively.
2. Solution:
Upgrade to OpenSSH 3.7 or apply the following patch.
Appendix:
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
@@ -69,6 +69,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +99,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
On Tue, Sep 16, 2003 at 01:59:38PM -0400, Uwe Rossbach wrote:
> Does anyone have a confirmation of this slashdot story and Full
> Disclosure posting. The only thing I noticed is that there is a new
> openSSH version (3.7) as of 5 am today on the server in Canada. The
> exploit looks for root access by trying a large number of accounts and
> connection requests. Leading to denial of service if not successful. Uwe
> Rossbach
>
>
>
> "
>
>
> [Full-Disclosure] new ssh exploit?
>
> *christopher neitzert * [log in to unmask] <mailto:chris%40neitzert.com>
> /Mon, 15 Sep 2003 13:48:34 -0400/
>
> * Previous message: [Full-Disclosure] new ssh exploit?
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
> * Next message: [Full-Disclosure] new ssh exploit?
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
> * *Messages sorted by:* [ date ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
> [ thread ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
> [ subject ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
> [ author ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>
>
>
> ------------------------------------------------------------------------
>
> --=-sz+BJAPCz1yL37OtGOWm
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> More on this;
>
> The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
> running the latest versions of OpenSSH.
>
> The attack makes an enormous amount of ssh connections and attempts
> various offsets until it finds one that works permitting root login.
>
> I have received numerous messages from folks requesting anonymity or
> direct-off-list-reply confirming this exploit;
>
> The suggestions I have heard are:
>
> Turn off SSH and
>
> 1. upgrade to lsh.
>
> or
>
> 2. add explicit rules to your edge devices allowing ssh from only-known
> hosts.
>
> or
>
> 3. put ssh behind a VPN on RFC-1918 space.
>
> thanks.
>
>
>
>
> On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> >/ Does anyone know of or have source related to a new, and unpublished ssh
> />/ exploit? An ISP I work with has filtered all SSH connections due to
> />/ several root level incidents involving ssh. Any information is
> />/ appreciated.
> />/=20
> />/=20
> /--=20
> Christopher Neitzert - GPG Key ID: 7DCC491B
>
> --=-sz+BJAPCz1yL37OtGOWm
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX
> +fZt/6hiarcw2KVtQq1i0Nk=
> =MaEF
> -----END PGP SIGNATURE-----
>
> --=-sz+BJAPCz1yL37OtGOWm--
>
>
>
> ------------------------------------------------------------------------
>
> * Previous message: [Full-Disclosure] new ssh exploit?
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
> * Next message: [Full-Disclosure] new ssh exploit?
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
> * *Messages sorted by:* [ date ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
> [ thread ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
> [ subject ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
> [ author ]
> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>
