Re: OpenSSH

[Anthony D Cennami <acennami () metconnect net>]

Non BSD systems by default, as they do not use BSDAUTH, are not 
(currently) vulnerable to this breach, to the best of my knowledge.

In any case, it would be advisable to use an updated priv-sep enabled 
version of the software.

Regards,

Anthony


Jeremy Junginger wrote:

> Hello,
>
> I am back again, and auditing an internally accessible ssh server for
> the challenge-response buffer overflow.  I'll keep it brief:
>
> OS: RedHat Linux (6.2)
> SSH Version:  SSH-1.99-OpenSSH_3.1p1
>
> I have already done the following:
>
> Downloaded and extracted openssh-3.2.2p1.tar.gz
> Patched the client with ssh.diff (patch < ssh.diff)
> Compiled patched client ( ./configure && make ssh)
> Run the "patched" ssh (./ssh x.x.x.x)
>
> I am receiving the following output
> ./scanssh 172.16.51.23
> [*] remote host supports ssh2
> [*] server_user: root:skey
> [*] keyboard-interactive method available
> [x] bsdauth (skey) not available
> Permission denied (publickey,password,keyboard-interactive).
>
> I have not investigated any further, but don't feel comfortable calling
> the service "secured" without a little peer review.  Do you have any
> tips on manipulating the method, style, repeats, chunk size, or
> connect-back shellcode repeat?  Any ideas will be greatly appreciated.
> Thanks, and have a great day!
>
> -Jeremy



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/