Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] new SSH xploit
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Fri, 01 Mar 2002 15:53:36 +0100
  • Message-id: <3C7F95F0.AACA8FE9@xxxxxxx>
Stefan,

please refer to the thread "New SSH bug?", started by Ben Rosenberg
yesterday on suse-sec. I also posted the info you found on ssh.com, but
now I'm not sure anymore; ssh.com's publication is from the 25th of
February, and addresses a news broadcast of Finnish TV. From what I
gather, this publication is directed to the ssh1 crc32 compensation
attack exploit, although they don't refer to this particular vuln.

John Compton posted this on SecurityFocus's vuln-dev mailing list:

http://online.securityfocus.com/archive/82/258238

For me, this sounds like a vuln of the official ssh2 implementation
(look at the output of the sshex/7350ylonen exploit)... :(

>From my investigations concerning the new ssh vuln, here is what I know
(or think to know):

- The exploit apparently is directed towards ssh2 implementations
- The official file/app name of the exploit seems to be 7350ylonen (side
note: Tatu Ylonen is the founder of ssh Finnland), although several
sources refer to it as "sshex"
- it exploits at least three (?) holes in the ssh2 protocol
- 7530ylonen/sshex seems to stem from Teso's web site, a well-known
security/hacking group/ressource. The source of the exploit (which
should not have been published) has been leaked (side note: read "7350"
in cracker-/kiddie-style; you will read "teso", just like "31337" means
"eleet", blah, blubb... :) )

So far, I didn't manage to track down the exploit - this will be a tough
one I guess. Let's see - I will repost as soon as any news occur.

Perhaps Roman has some more infos...?

Chakka! :)

Boris <bolo@xxxxxxx>
---

Stefan Suurmeijer wrote:
>
> The ssh site (www.ssh.com) states that the attacks that everyone is
> referring to were all on machines still running SSH1 compatibility (not
> too smart that), and that versions not running ssh1 compatibility should
> not be vulnerable. As I haven't had a chance to look at the exploit yet,
> I don't know if that info is current. Can anyone confirm that the new
> exploit is for ssh1 only?
>
> Stefan

< Previous Next >