Re: SSH Communications page on rootshell.com

[root () cygone com (Mitch Vincent)]

Ok Ok
Which is it people?

You have 3 security organizations saying
"The IBM analysis shows however that either the Linux operating system or
GCC compiler may have a problem which manifests itself as a bug in Secure
Shell. In any case, this is not a bug in Secure Shell itself. The results
with Linux are also preliminary as IBM was not able to do the exploit with
clean builds of Linux either. "

At the same time saying there aren't exploitable vulnerabilities with SSHD,
if there is a problem as described above that "manifests" itself in Secure
Shell then it IS a problem with Secure Shell, no matter how indirect. I
understand the authors of Secure Shell want to save face by not admitting
there is a potential problem and I understand rootshell's embarrassment of
being hacked. *BUT* We all need an answer to this question:

"Is it possible to gain unauthorized root access to a machine using SSH?"

I'm tired of "patch kits" being released to software that the author says
isn't vulnerable and all these IBM-Cert-Whatever memo's going around if
there is no problem. Stop with the run around people, just give everyone a
straight answer.

(This is not a rant to bugtraq or anyone specifically, just in general about
the entire issue)

Thanks!


-----Original Message-----
From: morex .- <morex () MOREX NET>
To: BUGTRAQ () netspace org <BUGTRAQ () netspace org>
Date: Tuesday, November 03, 1998 4:17 PM
Subject: SSH Communications page on rootshell.com


> Hello ,
>
> For the paranoid people out there that think sshd is insecure you guys
> might want to check out
> http://www.ssh.fi/sshprotocols2/rootshell.html
>
> Happy halloween
>
> later
> morex .-
> morex () nirvana net