Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Attacks against SSH?

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 4 Dec 2001 17:16:22 -0500 (EST)
On Tue, 4 Dec 2001, Jason Baker wrote:


I took a quick look around and didn't see the exploit code, is there
anyone who can confirm if debian with ssh 1:1.2.3-9.2 is vulnerable?  
(Or point me at the exploit and I'll test myself)


You can test for the vulnerability in rather trivial way, as described in 
our original advisory. You need to use OpenSSH client that does not
truncate usernames, and then try the following:

ssh -l`perl -e '{print "A"x90000}'` someserver -v

If the connection is dropped with no error message (and the daemon dies
with signal 11) after establishing a connection and exchanging keys but
before password prompt, you are vulnerable. If it gives you password
prompt, you are not vulnerable. 

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: