RE: sshd-exploit

["Sean T. Ballard" <stballard () 4glschools com>]

Just because the exploit code itself is not public is no excuse to not
be cautious about it. SSH has always a touchy service already, and I try
limit its uses in general just because of its exploitive history.

-----Original Message-----
From: Joerg Weber [mailto:j.weber () infos de] 
Sent: Wednesday, September 17, 2003 10:56 AM
To: Frank Knobbe
Cc: Sam Evans; snort-users () lists sourceforge net
Subject: Re: [Snort-users] sshd-exploit

On Wed, 2003-09-17 at 16:39, Frank Knobbe wrote:

> That's still my main gripe. We have a lot of intelligent code
reviewers
> around. The problem in SSHD is a small section of code. Surely we can
> look at it and determine if it's exploitable or not (the people I
talked
> to said No).
Well, I for sure would rather say "Uhhm I am not sure, but a wrong
offset in memory handling could maybe be exploitable" than "Naw, it's
not, trust me".
Remember Apache on *BSD when Gobbles showed how it is 'not exploitable'?
And I think that with something as widespread as OpenSSH a little bit of
activism on the update front cannot harm.

I'm pretty sure though that in case it is indeed exploitable we'll see
lots of creative work in the comming weeks. Arm your bruteforcer and
share the offsets!

Anyways. No exploit->no signature. Less work for me ;)

Cheers,

Joerg

-- 
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 33
www.infos.de
E: j.weber () infos de


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users