Yuppa, Roman Drahtmueller wrote:
Yes, and I colleague of mine just made a root exploit discover in OpenSSH that effects 3.0.1p1 and below. Once I know more or he decides to announce it..I'll let you know. He's in a testing phase.
Cheers!
Are you sure that openssh is affected? Right now, it looks like only the commercial ssh versions are targeted - they have similar version numbers.
But still not more news. :-/
If I got that correctly, ssh.com, in a roundabout way, already addressed the problem on their web site: http://www.ssh.com/products/ssh/advisories/ssh1_2002-02-25.cfm This is an "advisory" (well, sort of...) from 02/25, which points out that the recent sec holes only affect ssh1. Apparently, the publication is targeted towards a TV news broadcast of Finnish TV, which said that there had been attacks/break-ins against, quote, "tens of of thousands of computers all around the world" with vulnerable ssh1 installations. Unfortunately, they don't go into detail. I have not checked the security status of the current OpenSSH versions. Currently, I'm about to track down the "sshex" tool/app which has been mentioned in the securityfocus posting. Since our company very heavily relies on ssh, this issue is very important for us. I will re-post in this thread as soon as I have more info. Ben, thanks for bringing that to our attention.
Roman.
Boris Lorenz <bolo@lupa.de> ---