Re: [rootshell] Security Bulletin #25

["Roeland M.J. Meyer" <rmeyer () mhsc com>]

I just got this. MHSC is also on the SSH mailer-list. It looks as if ALL
accusations of SSH being exploitable are thinly founded at best.


> Date: Mon, 2 Nov 1998 11:45:53 +0200 (EET)
> From: Tatu Ylonen <ylo () ssh fi>
> To: ssh () clinet fi, info () rootshell com
> Subject: Important information about IBM-ERS's "ssh" advisory (fwd)
> Message-ID: <Pine.OSF.4.05.9811021143180.19300-100000 () torni ssh fi>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Sender: owner-ssh () clinet fi
> Precedence: bulk
> X-UIDL: a3533f8bef2d09b2dd5c56b653ba57e1
>
> Please find enclosed a copy of a message from the IBM Emergency response
> team.
>
>    Tatu
>
> SSH Communications Security           http://www.ssh.fi/
> SSH IPSEC Toolkit                     http://www.ipsec.com/
> Free Unix SSH                         http://www.ssh.fi/sshprotocols2/
>
> ---------- Forwarded message ----------
> Date: Mon, 02 Nov 1998 04:15:28 EST
>
> From: David A. Curry <davy () ers ibm com>
> To: bugtraq () netspace org, first-info () first org, first-teams () first org,
>     ssh-bugs () cs hut fi
> Subject: Important information about IBM-ERS's "ssh" advisory
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on
> Monday, Nov. 2nd that described a buffer overflow condition in Version
> 1.2.x "sshd."  This draft was sent to the Forum of Incident Response and
> Security Teams, and also to the "ssh-bugs" list for their comment/review.
> The draft was identified as ERS-SVA-E01-1998:005.1.
>
> Rootshell has unfortunately chosen to include a copy of this draft advisory
> in their recent newsletter, apparently for the purposes of defending itself
> against charges that it was unfairly disparaging "sshd."  Use of IBM-ERS's
> draft advisory in this manner was not approved or authorized by IBM-ERS,
> and does a disservice to all.
>
> Here are the facts about this advisory:
>
> 1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by
>   IBM.
>
> 2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS
>   attempted to contact Kit on Friday evening, and was unable to reach
>   him.  Specific contact information for IBM-ERS, as well as a brief
>   status update, were left on Mr. Knox's voice mail.  Mr. Knox never
>   contacted IBM-ERS after that time.
>
> 3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make
>   sure that the potential vulnerability described in the advisory is not
>   exploitable.  Upon further investigation, the problem originally
>   described appears to have been influenced by outside factors and does
>   not appear to be an exploitable problem in "sshd."
>   
> 4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning
>   of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter.
>
> 5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities,
>   exploitable or otherwise, in the "sshd" program.
>
> We hope that this clarifies IBM's involvement in this situation.
>
> - ---------------------------------------------------------------------------
>
> The information in this document is provided as a service to customers of
> the IBM Emergency Response Service.  Neither International Business Machines
> Corporation, nor any of its employees, makes any warranty, express or
implied,
> or assumes any legal liability or responsibility for the accuracy, complete-
> ness, or usefulness of any information, apparatus, product, or process
> contained herein, or represents that its use would not infringe any privately
> owned rights.  Reference herein to any specific commercial products, process,

> or service by trade name, trademark, manufacturer, or otherwise, does not
> necessarily constitute or imply its endorsement, recommendation or favoring
>
> by IBM or its subsidiaries.  The views and opinions of authors expressed
> herein do not necessarily state or reflect those of IBM or its subsidiaries,
> and may not be used for advertising or product endorsement purposes.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.7.1
>
> iQCVAwUBNj12ufWDLGpfj4rlAQGbNAQAhxLTKJh8H0s9uS0KbUVO3IxjfAYrcSuf
> TTpwZjQ3qciBr+8+LVU/WIk4OLGX7WLl2ZLqisUzNkBra4k0xPd2vKbKp6Pfd+6o
> DlNwfiwpty1wzPD/7eiu4xclHt0emMpDC6QMkJldk4/lv7iQmPltpeXdGqRVYja8
> fXtGXZO90UM=
> =hlDX
> -----END PGP SIGNATURE-----

and then found this.

> To: runge () crl com
> CC: ssh () clinet fi
> Subject: Re: ssh 1.2.26 and root compromise
> References: <3.0.3.32.19981030195825.005a2a78 () mail mpim-bonn mpg de>,
<slrn73psi8.h9i.bem () thorin cmc net>
<4n7%1.49$y_6.390462 () lwnws01 ne mediaone net>
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Sender: owner-ssh () clinet fi
> Precedence: bulk
> X-UIDL: 82af265d49d9ab5f1da6706787093894
>
> Karl J. Runge wrote:
>
> > Maybe. I see about 125 calls to log_msg() in the ssh 1.2.x source code.
> > Does anyone see one (or more?) calls that might be passing unprotected
> > strings? I assume the unlimited %s are the place to start...
> > [info: IBM's announcement points us to log_msg() as the source
> > of the buffer overrun, but does not say which one. See rootshell
> > statement which has the IBM announcement]
> >
> > I doubt the logging of "log_msg" has to do with the use of the word
> > "log", but the IBM announcement is dated 10/30 ... (I just saw it today
> > for the first time).
>
> The IBM advisory was cancelled within 24 hours. The appearent buffer
> overflow IBM found was not reproducable on any other systems, and
> appearently was due to some local problem with the Linux installation on
> one particular machine. See
>
> http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:005.1
.txt,
> http://www.ssh/fi/sshprotocols2/rootshell.html and
>
> http://www.rootshell.com/
>
> Personally, I am very disappointed with rootshell's unprofessional
> handling of that incident. Their continuing stubborn insistance - in
> spite of all contrary evidence - that something other than their
> security policy must be at fault fatally resembles the worst exemples
> I've ever seen in corporate IT security. 
>
> Sevo 
>
>
> -- 
> Sevo Stille
> sevo () inm de

___________________________________________________ 
Roeland M.J. Meyer, ISOC (InterNIC RM993) 
e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com
Internet phone: hawk.mhsc.com
Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
Company web-site: <http://www.mhsc.com/>www.mhsc.com/
___________________________________________ 
I bet the human brain is a kludge.
                -- Marvin Minsky