[log in to unmask]">

I have been following these reports this afternoon.  I was waiting for a good
report to share, and they just arrived.  I just sent the FreeBSD security
advisory to the msusec mailing list.  Here is the OpenBSD advisory.

From: Chris Wysopal <[log in to unmask]>
Subject: [VulnWatch] OpenSSH Security Advisory: buffer.adv


List:     openbsd-misc
Subject:  OpenSSH Security Advisory: buffer.adv
From:     Markus Friedl <markus () openbsd ! org>
Date:     2003-09-16 12:32:15
[Download message RAW]

This is the 1st revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7 contain a buffer
        management error.  It is uncertain whether this error is
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

2. Solution:

        Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c    26 Jun 2002 08:54:18 -0000      1.16
+++ buffer.c    16 Sep 2003 03:03:47 -0000      1.17
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+       u_int newlen;
        void *p;

        if (len > 0x100000)
@@ -98,11 +99,13 @@
                goto restart;
        }
        /* Increase the size of the buffer and retry. */
-       buffer->alloc += len + 32768;
-       if (buffer->alloc > 0xa00000)
+
+       newlen = buffer->alloc + len + 32768;
+       if (newlen > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
-                   buffer->alloc);
-       buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+                   newlen);
+       buffer->buf = xrealloc(buffer->buf, newlen);
+       buffer->alloc = newlen;
        goto restart;
        /* NOTREACHED */
 }


On Tue, Sep 16, 2003 at 01:59:38PM -0400, Uwe Rossbach wrote:
  

Does anyone have a confirmation of this slashdot story and Full
Disclosure posting. The only thing I noticed is that there is a new
openSSH version (3.7) as of 5 am today on the server in Canada. The
exploit looks for root access by trying a large number of accounts and
connection requests. Leading to denial of service if not successful. Uwe
Rossbach



"


 [Full-Disclosure] new ssh exploit?

*christopher neitzert * [log in to unmask] <mailto:chris%40neitzert.com>
/Mon, 15 Sep 2003 13:48:34 -0400/

   * Previous message: [Full-Disclosure] new ssh exploit?
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
   * Next message: [Full-Disclosure] new ssh exploit?
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
   * *Messages sorted by:* [ date ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
     [ thread ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
     [ subject ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
     [ author ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>


------------------------------------------------------------------------

--=-sz+BJAPCz1yL37OtGOWm
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh.

or

2. add explicit rules to your edge devices allowing ssh from only-known
hosts.

or

3. put ssh behind a VPN on RFC-1918 space.

thanks.




On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
    

/ Does anyone know of or have source related to a new, and unpublished ssh
      

/>/ exploit?  An ISP I work with has filtered all SSH connections due to
/>/ several root level incidents involving ssh. Any information is
/>/ appreciated.
/>/=20
/>/=20
/--=20
Christopher Neitzert - GPG Key ID: 7DCC491B

--=-sz+BJAPCz1yL37OtGOWm
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX
+fZt/6hiarcw2KVtQq1i0Nk=
=MaEF
-----END PGP SIGNATURE-----

--=-sz+BJAPCz1yL37OtGOWm--



------------------------------------------------------------------------

   * Previous message: [Full-Disclosure] new ssh exploit?
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
   * Next message: [Full-Disclosure] new ssh exploit?
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
   * *Messages sorted by:* [ date ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
     [ thread ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
     [ subject ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
     [ author ]
     <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>