Re: Attacks against SSH?

[Jason Baker <jbaker () filonet ca>]

On December 3, 2001 10:45 pm, you wrote:
> This exploit is indeed a different crc32 exploit than the one I
> analyzed a couple weeks ago, but it affects the same set of systems as
> the one I analyzed.  For those who haven't seen it, the analysis
> includes examples and a script for scanning your network to identify
> *potentially* vulnerable systems (you need to check the version of
> your protocol 1 fallback server separately, if you allow fallback):
>
>       http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

From this analysis, SSH-1.5-OpenSSH-1.2.3 is listed as vulnerable, but that's 
what you get when you install the SSH update from Debian, listed in DSA-027.  
I'd normally expect that just fixed a different problem, but the text of 
their advisory for "ssh-nonfree" (DSA-086-1) states:

  "We have received reports that the "SSH CRC-32 compensation attack detector 
   vulnerability" is being actively exploited. This is the same integer type  
   error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian   
   ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were    
   not."

I took a quick look around and didn't see the exploit code, is there anyone 
who can confirm if debian with ssh 1:1.2.3-9.2 is vulnerable?  (Or point me 
at the exploit and I'll test myself)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com