Yup, On 21-Nov-01 Maarten J H van den Berg wrote:
On Wednesday 21 November 2001 13:56, you wrote:
Hi,
On 21-Nov-01 Annette Jaekel wrote:
[...]
From the CERT.org vulnerability note VU#945216:
Overview
There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root.
I. Description
[...]
II. Impact
[...]
III. Solution
[...]
Systems Affected
Vendor - Status - Date - Updated
SSH Communications Security - Vulnerable - 6-Nov-2001 OpenSSH - Vulnerable - 2-Nov-2001 FreeBSD - Vulnerable - 2-Nov-2001 CORE SDI - Vulnerable - 6-Nov-2001 Debian - Vulnerable - 14-Nov-2001
Sorry, but I don't get it... What's with those recent dates ? Isn't this the vulnerability from last februari ??
CERT's original vulnerability note can be read here: http://www.kb.cert.org/vuls/id/945216 These dates mark the date of update of the informations about the vulnerability, relative to distros/SSH1 implementations. The vulnerability itself stems from February 8th, 2001, and has been discovered my Michael Zalewski of the BindView Razor Team. Read the story here: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
And if not, is there _really_ a NEW remote root exploit for sshd, PLEASE tell me it ain't so...? You really are scaring me...
the exploits for said SSH1 implementation bug aren't exactly new. It's just that there were only two or three sploits available from February to October, and these sploits consisted of c sources with intentional programming errors, which kept the parasites (read: script kiddies) away from using it. Shortly after October 10th, some new SSH1 exploits started to show up, read-to-use for scripted attacks, even by not-so-skilled individuals, which is why this relatively old vuln gets exploited again. As a side note, it's obvious that some admins don't seem to follow the latest security issues, else they would have patched their SSH1 installations I'd guess... No need for panic - all vendors supply patches for still vulnerable SSH1 implementations, so a nice lil' update should do the trick for you if you happen to run a vuln sshd1. Btw., this crc32 thingy seems to be a good reason to finally get rid of old SSH1 servers. It's not only that some SSH1 implementations are vulnerable to the crc32 bof, but also to certain man-in-the-middle attacks, for instance using the dsniff toolkit. Read all about it on http://www.monkey.org/~dugsong/dsniff/ , section "Further Reading".
Maarten
--
Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
Boris Lorenz