Vulnerability Development mailing list archives

Re: SSH2 Exploit?

From: Dan Hanson <dhanson () securityfocus com>
Date: Thu, 7 Mar 2002 12:35:45 -0700 (MST)

Hmmm..not a exploit, but a vulnerability in OpenSSH up to 3.0.2 (3.1 has
been released), there is an advisory that has been posted on Bugtraq and
/.  Thought the part about exploitation without a user account may be
possible was interesting.

quoted and referenced:
http://www.pine.nl/advisories/pine-cert-20020301.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-
-----------------------------------------------------------------------------
 Pine Internet Security Advisory
-
-----------------------------------------------------------------------------
 Advisory ID       : PINE-CERT-20020301
 Authors           : Joost Pol <joost () pine nl>
Issue date        : 2002-03-07
 Application       : OpenSSH
 Version(s)        : All versions between 2.0 and 3.0.2
 Platforms         : multiple
 Vendor informed   : 20020304
 Availability      : http://www.pine.nl/advisories/pine-cert-20020301.txt
-
-----------------------------------------------------------------------------

Synopsis

        A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2

        Users with an existing user account can abuse this bug to
        gain root privileges. Exploitability without an existing
        user account has not been proven but is not considered
        impossible. A malicious ssh server could also use this bug
        to exploit a connecting vulnerable client.

Impact

        HIGH: Existing users will gain root privileges.

Description

        Simple off by one error. Patch included.

Solution

        The OpenSSH project will shortly release version 3.1.

        Upgrading to this version is highly recommended.

        This version will be made available at http://www.openssh.com

        The FreeBSD port of OpenSSH has been updated to reflect the
        patches as supplied in this document.

        OpenSSH CVS has been updated, see

        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ \
        channels.c.diff?r1=1.170&r2=1.171

        Or apply the attached patch as provided by PINE Internet:

        http://www.pine.nl/advisories/pine-cert-20020301.patch


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyHaKkACgkQDNrSylhGGb3p2ACfXZu3WShzGT4Mp/LgwA6AZStu
rtkAn3O83WzyNijdJ9+9OwLJxUcVj4Ld
=j+Hz
-----END PGP SIGNATURE-----



--
Dan Hanson
SecurityFocus -- http://www.securityfocus.com
ARIS -- http://aris.securityfocus.com
dhanson () securityfocus com

Current thread:

Re: SSH2 Exploit? Ron DuFresne (Mar 04)
- Re: SSH2 Exploit? Jon Zobrist (Mar 05)
- Re: SSH2 Exploit? H D Moore (Mar 07)
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
- <Possible follow-ups>
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
  - Re: SSH2 Exploit? H D Moore (Mar 07)
  - Re: SSH2 Exploit? H D Moore (Mar 08)
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
  - Re: SSH2 Exploit? Teodor Cimpoesu (Mar 07)
  - Re: SSH2 Exploit? Dan Hanson (Mar 08)
- Re: SSH2 Exploit? Steve Wright (Mar 08)