Bugtraq mailing list archives
Re: SSH 1.x and 2.x Daemon
From: yutaka () OIWA SHIBUYA TOKYO JP (Yutaka OIWA)
Date: Tue, 26 Jan 1999 01:16:55 +0900
On Sat, 23 Jan 1999 17:06:44 -0500, KuRuPTioN <kuruption () CHA0S COM> said:
KuRuPTioN> There seems to be incomplete code in the SSH daemon in both versions 1.2.27 KuRuPTioN> and 2.0.11 (only tested). The bug simply allows users who with expired KuRuPTioN> accounts (in /etc/shadow) to continue to login even though other such KuRuPTioN> services such as ftp and telnet deny access. Here is the log using 1.2.27 KuRuPTioN> (but the same happens with 2.0.11). It seems to be a bug of configure script. As my quick observation for source code, possibly-vulnerable environment is - sshd 1.2.26 on * Linux, Irix5, Irix6, Ultrix, Convex - sshd 2.0.11 on * Almost all platform with account expiration and without usersec.h(?) To check whether the sshd is vulnerable, execute the command strings sshd | grep expire and see whether the message for ACCOUNT expiration is exist. (There may be a message for password expiration) Adding #define HAVE_STRUCT_SPWD_EXPIRE 1 to appropriate header file (do after ./configure) may solve the problem (sorry, not tested). Detail: In ssh 1.2.26, checking shadow passwd existence is bypassed on some platforms. However, checking sp_expire existence is done in the bypassed section of configure script. In ssh 2.0.11, no checking seems to be done for sp_expire. (true?) -- Yutaka Oiwa Yonezawa Lab., Department of Information Science, Faculty of Science, University of Tokyo. Email: <oiwa () is s u-tokyo ac jp>, <yutaka () oiwa shibuya tokyo jp> PGP fingerprint = C9 8D 5C B8 86 ED D8 07 EA 59 34 D8 F4 65 53 61
Current thread:
- Re: backdoored tcp wrapper source code, (continued)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
- Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
- Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
- Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
- baynetworks router DoS Virsoft (Jan 25)
- Re: baynetworks router DoS Neale Banks (Jan 26)
- 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)
- IBM CICS Universal Client 3.x Rude Yak (Jan 27)
- Re: SSH 1.x and 2.x Daemon Yutaka OIWA (Jan 25)
- Call for Papers: UNIX AND WINDOWS NT Fred Donck (Jan 25)
- New IE4 privacy issue aleph1 () UNDERGROUND ORG (Jan 25)
- Re: SSH 1.x and 2.x Daemon Jim Bourne (Jan 25)
- Re: backdoored tcp wrapper source code Wietse Venema (Jan 23)
- LocalSecure Testing Program NSS SDT (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 24)
- Advisory: IIS FTP Exploit/DoS Attack Marc (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Seth McGann (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Matt Conover (Jan 25)
- IIS Advisory Marc (Jan 24)