Forgot your password?
typodupeerror
Encryption Security

Vulnerability In SSH1 118

Posted by Hemos
from the no-good-for-any-one dept.
matt666 writes "Bindview released an advisory yesterday warning us that "[a]n integer-overflow problem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. [...] This effectively allows an attacker to overwrite arbitrary portions of memory". Practically all common versions of SSH1 are affected, except OpenSSH 2.3.0." A whole slew of people have written in regarding this - from the folks at SmoothWall advising of an update, to a bunch of people just saying "Oh No!". My understanding is that a fix is already in the works.
This discussion has been archived. No new comments can be posted.

Vulnerability In SSH1

Comments Filter:
  • by Anonymous Coward
    ruben@ruben:~ > ssh -v -l `perl -e '{print According to the site this should trigger the bug but it doesn't

    ruben@ruben:~ > ssh -v -l `perl -e '{print "A"x88000}'` localhost
    SSH Version 1.2.30 [i686-unknown-linux], protocol version 1.5.
    Standard version. Does not use RSAREF.
    ruben: Reading configuration data /etc/ssh_config
    Hostname or username is longer than 255 characters.
    ruben@ruben:~ >

    Does this mean it's secure?

  • by Anonymous Coward
    Peter Pan Syndrome be damned
  • by Anonymous Coward
    You must be American - no sense of irony huh?
  • by Anonymous Coward
    Once again we have proof that the OpenBSD folks have given us a solid and secure product.

    Given that OpenSSH is used across a greater spectrum that OpenBSD, this should help the OpenBSD group gain even more support.

    Never, ever use Linux for a firewall. Use OpenBSD!

    Opps, thats not a good thing to say on slashdot, is it?
  • Stone tablets?

    Luxury!

    :)
  • It is in the CVS snapshots
  • SSH's own Win32 SFTP client is good.
    http://www.ssh.com/products/ssh/

    Based on your .edu, I think you can use it for free.

    Unfortunately I haven't seen one for Classic Mac yet. At least command line will be an option with OS X.
  • I just patched the OpenSSH 2.2.0pl1 RPMS that I've been using. For anyone using OpenSSH 2.1 or 2.2 (As long as you've already got OpenSSL 0.9.5a or later) you can grab the rpms (and the src rpm) from here [aros.net].
  • You use APOP.

    Its been around for years, and most clients support it.

    It encrypts the password with a hash then sends it to the server, from memory.
  • by pen (7191)
    Debian's servers use content negotiation. Here is the correct URL:
    http://www.debian.org/security/2001/dsa-026 [debian.org]

    (You're getting the dsa-026.html file in the 2001/ directory.)

  • ... have available the openssh-2.3.0p1 RPMs since November 21 (actually a few hours/days later, because Nov 21 is the build date of the package). This is a long time.


    -Yenya
    --

  • Yes he is.

    Bosses that whine about spelling are usually morons. Bosses, that want results? hire guys like me.

  • ...only 23 days left until your server's destruction!

    We're off to patch our code
    We're keeping Kiddies off
    To save our web servers.
    Our Sys. Admins.
    Searching for obsure bugs
    Heading off new expliots
    Leaving Quake games behind
    Who knows what bugs we'll find
    We must be smart and brave
    And always be sure to save
    If we don't, in just one year
    Our website will disappear
    Fighting with Script Kiddies
    Who won't stop with the "ph3r m3s"
    Then we'll reboot, and when we're done
    More Quake for everyone with our Sys Admins!

    George Lee

  • ...Encyption Is Only As Good As Your Worst Programmer.

    Good to see bugs getting shaken out. :)

    George Lee

    1. recently I've been losing patience with slashdot
    2. I've been posting stuff just to see how it gets received, not because I believe in what I say, or even care about what I'm talking about. .


    I don't suppose other people coming to point #2 has anything to do with the state of affairs in #1?
  • See this [cs.hut.fi] and man 2 kill.

    You'll have to reverse the arguments of kill for that to work:

    - kill(SIGALRM, getppid());
    + kill(getppid(), SIGALRM);

  • For the record, both the ssh1 and OpenSSH ports have now been fixed. Personaly, I'm just upgrading my remaining 3.x machine to 4-STABLE since it's long over due.
  • Maybe it would be a good idea to ask Mr Vixie to create a <a href"http://slashdot.org/article.pl?sid=01/02/03/1 656243&mode=nested">closed mailing list</a>, to better prepare for ssh security holes.
  • OpenSSH pre 2.3.0 is also vulnerable [bindview.com], so don't be getting any false sense of security here.
    -
    sig sig sputnik
  • I know. But this is a firewall ;> Use i know.. "why ssh on the firewall!" well there is.

    ---
  • Its hard to write a single much less a speciallized app to go through every input type, every branch of execution. Its possible, but its VERY hard.

    ---
  • Yep. That sounds like OpenBSD. They have closed many holes that nobody knows about. Not all of them, I'm sure, but if they find one, they try to close all similar holes. FreeBSD seems to be playing a good game of catch-up.
  • > Of course, I don't think this is the way to go - mostly because current SML implementations are damn slow, and I'm a C bigot.

    You may be a C bigot :) but SML implementations aren't so bad:

    Check out the results of the ICFP contest [cornell.edu] - the ML-based programs were really, really fast. (And they also worked, unlike a lot of the C and Perl solutions!).

    Of course, it's too bad I'm a C bigot too, or my code might be better... ;)

  • full path, yes, wildcards, no. I type wildcards into my scp lines (hell, even environment variables work) all the time, and haven't had any problems...

    However, yes, for anything more than quick or automated file moves, stfp is a much better option.
  • Well, it will be lazy admins who suffer from this... In particular - this is in the article, should you ever decide to read it - the nature of the flaw prevents the buffer overflow from using certain instructions, which means that it's sufficiently hard to write an exploit for this that none are currently known. So the skript kiddiez are probably not going to get their heartz dezire this time.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.
  • Huh? FreeBSD has been using OpenSSH 2.3.0 - a non vulnerable version - since December 5.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.
  • Don't everyone panic and upgrade your ssh1 clients. This only affects the server end. If you run an ssh1 server, now you can start worrying.
    --
    Patrick Doyle
  • the only downside of openssh that i've seen was that it was a pain to figure out which compile-time options i needed. make sure you know exactly how your passwords are stored on your box. once i had that figured out, i liked it better than i ever liked the commercial SSH.

    As I recall, about the only thing that was needed was to make sure OpenSSL was installed first. Keeping your favorite compiler options in CFLAGS and CXXFLAGS helps, too, as configure (if it's of the GNU variety) will usually pick up whatever is in those variables. It's always figured everything else out by itself. I've installed OpenSSH on SuSE 6.[34] and LFS systems, and have never had any problems with the build.

  • Sure OpenSSH will protect you when you log into your *nix box. But what happens when you go to get your POP mail from your ISP? You send out your password in plaintext and then your mail is completely vulnerable.

    What? You STILL use unencrypted POP mail? I think all the major mail servers support POP/IMAP over SSL. Get it now.


    --
  • I still find it graciously amusing how some idiots are WILLING to feed the trolls even though they know it as such. YHBT, period.

    And yet, I got modded up three times. Gotta love /.'s crack-smoking moderators =) It's just so easy!

    Of course, I've already hit the cap (been there for months now), so whatever...

    --

  • That's interesting, because I just did ./configure, dl'd and installed the libs it needed (zlib and OpenSSL), ./configure again, make, make install, edit /usr/local/etc/sshd_config so it ran on port 123 (testing purposes, ssh is the only access I have to my Linux box, so...), start /usr/local/sbin/sshd, ssh in on port 123, verify that it works, change sshd_config, kill -HUP `cat /var/run/sshd.pid`, and it's all set.

    The above is on a Slack install still running kernel 2.0.38 and some older version of glibc.

  • Important utilities like ssh should not be written in unsafe languages like C or C++ that allow buffer overflows. Otherwise, this class of problem is never going to go away, because developers aren't perfect. And, because people don't want to be bothered about updates, in present-day reality Unix is highly insecure.
  • To get OpenSSH 2.3.0p1 to compile under freebsd 3.4-RELEASE:

    - first ensure openssl 0.9.6 is installed. If not, install it.
    - ./configure --without-pam --with-tcp-wrappers --sysconfdir=/etc/ssh --with-md5-passwords --with-libs=-lcrypt

    Took a little monkeying around, but it seems to work fine for me at the moment. Good luck.
  • http://www.freebsd.org/security/#adv

    What the fuck are people publishing a patch if there's not a fix?

    Streamripper [sourceforge.net]

  • I've been pushing for outside access at my workplace for a while now. There are a lot of security concerns and I have been trying to advocate using ssh. Is this a viable solution? In other words, how safe is it? -Willy
  • For Win32 I like SecureFX 1.9

    Tim Gaastra
  • The problem (for me anyway) is that there are a lot of commercial/closed-src ssh apps (mostly for Win and MacOS) that don't support SSH2. Puting ssh1 compatability into ssh2 means that the vulnerable ssh1 daemon is still run when an ssh1 connection is made. So, I still run ssh1 everywhere so that I don't have to support some machines just running ssh2 and some machines running a combination of them both. When SSH official stops supporting and stops distributing the ssh1 source in May, most vendors will move to ssh2 only, but it's going to take a while.

    dopp

  • Doesn't appear to have made it to the "portable" version yet.

    I just installed 2.3.0p1, and it isn't there.

    Temkin

  • Sure OpenSSH will protect you when you log into your *nix box. But what happens when you go to get your POP mail from your ISP? You send out your password in plaintext and then your mail is completely vulnerable. Does anyone make a mail server that encrypts with common clients?
    You are correct, but you can tunnel POP (or whatever) over SSH. The fetchmail documentation explains how to do this.

    Of course, there is still the problem that good old SMTP still goes unencrypted, but TLS-aware MTAs (TLS is the new name for SSL, basically) will encrypt the traffic between them! Recent versions of Sendmail are TLS-aware, there's Postfix-TLS, and experimental versions of Exim. Not sure about qmail.

    As for POP and IMAP, I don't think anybody is talking about making encryption a standard part of them, but I could well be wrong.

  • by lemox (126382)

    I was always under the impression that if your traffic passes through any sort of localized network it can be sniffed, like an @Home subnet, University network, network at your job etc. Your theory would really only apply to to DSL or dialup and then only if the machine you were contacting was also connected directly to the internet with no sort of network attached to it.

  • I'm not too experienced with overflows, but how would the Openwall buffer overflow kernel patch by Solar Designer handle this, if at all?
  • by f5426 (144654)
    <http://www.openbsd.org/cgi-bin/cvsweb/src/usr. bin/ssh/version.h>

    --> 2.3.0 since 8 Nov

    <http://www.FreeBSD.org/cgi/cvsweb.cgi/src/secu re/usr.bin/ssh/Makefile>

    --> 2.3.0 since 12 Jan

    Cheers,

    --fred
  • I have no probs using wildcards (*.htm etc) for openssh 2.3 server or client.
  • Your theory would really only apply to to DSL or dialup and then only if the machine you were contacting was also connected directly to the internet with no sort of network attached to it.

    No! That is utterly meaningless. There is no such thing as "connected directly to the internet with no sort of network attached to it". The internet is a public network. Whenever you send data across a public network you should assume it is being sniffed. Apart from the fact that the original post was a joke.

  • You're still wrong. And you're a grotesquely ugly freak.
  • Yup, I got it yesterday with my daily apt-get dist-upgrade. All hail Debian.


  • WHAT? Your pop mail ISN'T encrypted with pgp/gpg? I have all the people I really care to talk to properly educated in how to use PGP. Even my wife, who found giving up AOL to be highly traumatic. Hell, I've got my filters set up to send anything that ISN'T signed or encrypted directly to the spam box.

    What in the world does that have to do with sending your POP password in plain text to fetch your PGP encrypted email?

  • Password sniffing is a big issue on university networks. I don't think you'll find more uncontrollable computers connected to a network in one place anywhere else. The problem is worsened because the high density of computers often results in the use of broadcast-style hubs to cut costs, especially when you are servicing a dormitory and don't care if the subnet gets bogged down. The result is that any yahoo could grab all the mail passwords for his entire floor without much difficulty. Secure services are essential in that sort of situation.
  • I hate having to know the full path to everything, or the inability for the remote server to process wildcards. These are inherent limitations of scp.
  • According to the network guy here (who I highly respect) many well-networked universities are moving to 100mbit switched non-blocked full duplex. (meaning I have 100 mbit link to anywhere on campus no matter what.) This is mainly in preparation for video over the local network. (In fact, we already have a video server here which allows students to "rent" movies for the day to watch on their computer for a small fee.)

    I expect other universities to follow in the coming years. I guess I assumed that other schools would pick up with this a little er. (especially CMU, although they seem to focus more on wireless networks..)


    -- Thrakkerzog
  • It depends on the network. In a shared non-switched environment, password sniffing is very simple. Many universities are migrating to 100mbit switched networks, which means your traffic is localized. (except for broadcast traffic, of course.) This also means that you can not switch your ethernet card into promiscious mode and lift passwords as easily.


    -- Thrakkerzog
  • I use something like this very often: scp box:`pwd`/files\* .
  • Here's some of what smoothwall tells you do to:

    If you are in Windows bring up a dos session and make sure you are in the same directory as where you downloaded the tar.gz file - please make sure you follow this instruction. Linux / BSD / GNU based systems users you all know what you\ure doing so we won\ut teach you to suck too many eggs in this instruction in fact we won\ut teach you to suck any eggs and congratulate you on running a free operating system that enhances your standing in the community.

    Please open up a terminal window and type in the following:

    ftp __.___.___.___ [substitute underscores for the ip address of your SmoothWall server]

    When prompted for username type root

    When prompted for password type the password you allocated for root

    then follow the following instructions

    bin [followed by return]

    put smoothwall-openssh-2.3.0p1.tar.gz [followed by return]

    Once this operation is complete type

    quit [followed by return]

    Funny, I thought that the one of the great advantages of using SSH (aside from the port forwarding) was that you'd never have to send your password in cleartext. Besides, who actually allows root to connect to their FTP server? The conventional wisdom has always been that root is to powerful to "just FTP".

    Suck eggs, indeed.

  • Oh it's simple. you look at security advisories but you do not download every update that floats down. A good sysadmin does not apply patches/updates/other fodder just because they are there. The sysadmin applies them if they are needed.

    I have 1 server running that has a 1.2 kernel on it. it hasn't been updated because it doesnt need to be.(and is in a remote location that takes days to reach) Only the foolish fix things that aren't broke.

    So, as one of the best sysadmins my corperation has, I DONT update important software every few weeks.

    P.S.- we still run NT 3.5 servers too for critical systems. Could an entire industry be foolish by not updating every few weeks? I think not.

  • Actually, sftp support was recently added (it's available in the 2.3.0 version I just finished putting in all my servers ;-)

  • Shouldn't Theo have caught this? or is he only concerned with OpenSSH?

    Read past the headline:

    Practically all common versions of SSH1 are affected,
    except OpenSSH 2.3.0.

    So Theo (or someone else working on OpenSSH) DID catch it. Maybe they didn't know they caught it, or that it was exploitable, but they did fix it.

  • i was using the portable version, it's just that, by default, it likes you to use PAM for password authentication, which slackware doesn't. if you don't use PAM, it likes you to heve your passwords encrypted with crypt. mine aren't.

    i had to use a few special configuration parameters (i think they were --enable-md5 --enable-shadow and --disable-pam, but i'm not sure. that's from memory.)

  • sftp is a problem because there are so few clients that support it. True, I could use it to send files between my servers, but for windows and mac it gets a little trickier. Can anyone recommend a good SFTP client for Mac/Win32?
  • People are going to ignore it but simply disable SSH1 and make sure your sshd is NOT that old.

    Yeah, /usr/ports for freebsd 3 still uses openssh 2.2, but disabling protocol 1 is at least a quick fix while a more stable thing is done.

    ---

  • Actually, if the poster was serious, I doubt he was supporting VB, but rather something like SML/NJ [bell-labs.com]. The proponents [cmu.edu] of this language insist that their programs can be made unhackable because they can be mathematically proven to be secure.

    Of course, I don't think this is the way to go - mostly because current SML implementations are damn slow, and I'm a C bigot. ;->
    --------------------------
  • by ??? (35971)
    There are a large number of ISPs which do not use switched networks, and also do not use AntiSniff [securitysoftwaretech.com]. As a result, they have no protection against this. Seeing as you seem to believe that most ISPs prevent this, how do you believe they do that?

    Furthermore, the belief that every router hop from your machine to the machine you're connected to is secure is fatally mistaken. Just because your ISP has effective security measures does not mean that everyone on the route has the same effective measures.
  • Unless of course you're using telnet on an Irix box, thanks to that telnetd sploit (buffer overflow I believe) from August '00. It's a breeze to crack and I've used it myself a number of times to try to fix a few lab machines from another department.

    --

  • Right, better use Windows/Visual Basic instead, which assume the coder doesn't know what he is doing, and thus introduce security holes on his behalf...
  • You're right. Most of us don't have any data on our machines that really needs to be protected from the off chance that someone might see it. But, this isn't why I want to keep crackers/Script Kiddyz out of my machine. I can't afford to have my machine used to for criminal activities, I have things on my machine that I would really miss if they were gone, I don't want to have to spend a whole evening reinstalling the operating system and making sure that all the holes are properly closed this time.

    Just because I don't have classified data on my computer doesn't mean that I want to have it broken into and that I shouldn't take reasonable precautions to see that my system is safe.
    _____________

  • It looks like Debian already has the updated version available.
    More information available on the debian package at http://www.debian.org/security/2001/dsa-026/
  • First bind, then ssh.. what's next -- will somebody find a way to hack Hotmail?!

    Oh, wait.. :)


    ----------
  • by nezroy (84641)
    lizrd got the first point, which is that someone coming in and fucking up your data, "sensitive" or not, is a serious pain, even if you have comprehensive backups.

    The second point is that while you may not be a criminal, leaving your box open to something like this makes you criminally stupid. Some script kiddie may jump in and start setting up IRC servers and using your machine to help in some DDOS attacks. Try proving to your local authorities that just because the logs say the attacks came from YOUR IP that it wasn't YOUR fault and that, please officer, can I have my computer back now?
  • I thought we had already discussed [slashdot.org] that we should all move away from SSH1 and use SSH2... As advised by SecurityPortal [securityportal.com], I upgraded my server and clients to SSH2. I for one am feeling safe, now, at least for the few next weelks/months...
  • those are all grammatical errors because I didn't proof read my post, half of which are the result of typos. I think you'll find that the norm here at /.

    As for OpenSSH, I didn't know Theo worked on it, But I did know OpenSSH and OpenBSD we're related. which explains what I said, also you we're the second person to call me on that, it wasn't necessary, but it reinforced your augments that I am an idiot. You're going out on a limb calling me on things like capitalization, and obviously on purpose misspellings.

    recently I've been losing patience with slashdot, and posting garbage. if you look at my history you'll notice many of my posts have been modded down (some way down) after they we're modded up. As you can also see i have the +2 bonus, and am, from time to time a modertor, which means i must have gotten karma at some point.

    I'm sick of the slashdot way of karma whoring, so I'm also getting lazy, impatient and bored.. I've been posting stuff just to see how it gets received, not because I believe in what I say, or even care about what I'm talking about.

    Am at a point where I don't care about my karma, I don't care if other people don't like what I say, I think I'm turning into what slashdot concedes a troll, and if so, so be it.

    -Jon

    Streamripper [sourceforge.net]

  • I was just talked to a friend of mine last night, he's a computer security guy. He told me about how the Public/Private keys we're only used for trading a 2 way cypher, like 3DES, or some other cheaper cypher, once they both new the key for that, they would exchange data old sk00l (if you will).

    So I said "huh, so except for a man in the middle attack, or brute force, there's really no attacks", "yup". then i said "So all those exploits on ssh are just coding errors right?", "yup".

    so what is this like 4th r00t expliot from ssh? You would really think that people making an app to improve security would be more careful about this. Or maybe they did, and it's one of those new sprintf one's, if I remember from defcon (boy that sucked) there was a common exploit via sprintf's that wasn't widely known until recently... , something to do with %n I think..

    Shouldn't Theo have caught this? or is he only concerned with OpenSSH?

    -Jon

    Streamripper [sourceforge.net]

  • It is strange that you should say this, because the present exploit has nothing to do with buffer overflows. If there is anything to be said about "safe" or "unsafe", it is that you can write unsafe programs in any language. As far as I can tell, C is still a good language for doing systems work.
  • By now, it should be very clear that software written in C is inherently insecure. It's just too easy to create buffer overflow situations.

    Personally, I'd like to see a move to Modula 3 or Ada for trusted modules, but so few people know those languages now. Hard-compiled Java, maybe.

  • switched networks are not necessarily any safer than networks based around hubs. check out dug song's dsniff package [monkey.org] to see just how vulnerable switched networks can be.

    anytime you communicate with anything other than yourself, the Trust issue comes into play.

    -f

  • >Shouldn't Theo have caught this? or is he only concerned with OpenSSH?

    why should Theo care about anything other than OpenSSH? Should Linus be looking for windows vulnerabilities?

    -f

  • Newer versions of GCC can generate diagnostics as they compile and optimize.
    gcc -Wall -W -O -c foo.c will generate lots of helpful diagnostics on stderr.
    Like Tetris? Like drugs? Ever try combining them? [pineight.com]
  • The *point* was whether or not someone would need to access to a major node to sniff your data. Yes, this internet is a public network. No, it does not apply to what I'm saying. Otherwise I could just sit on my dialup link, fire up a sniffer and watch every bit of traffic on the internet go by. Also, the post I was replying to was the not the original post.
  • WHAT? Your pop mail ISN'T encrypted with pgp/gpg? I have all the people I really care to talk to properly educated in how to use PGP. Even my wife, who found giving up AOL to be highly traumatic. Hell, I've got my filters set up to send anything that ISN'T signed or encrypted directly to the spam box.
  • What in the world does that have to do with sending your POP password in plain text to fetch your PGP encrypted email?
    Because if all the (important) mail is encrypted, it really doesn't really matter if someone sniffs your POP password and downloads your messages, unless you are stupid enough to use your POP password for somthing important. You know your POP3 password is going out in the clear, so don't use it for anything else.

    The worst thing that can happen if your messages are encrypted is that the attacker can delete them from your mailbox. This amounts to a pretty lame DoS attack - annoying but not catastrophic. If it's a message that absoloutely MUST go through, you shouldn't be relying on email in the first place. It would be a pretty stupid attack anyway, because the target would know pretty quickly that their comm channel has been compromised.

    An attacker could find out the names and emails of the people you are conversing with, but they could get that information anyway, by sniffing it out of the headers of the incoming SMTP messages (for example). [Traffic analysis, anyone?] If you need to conceal WHO you are talking to, you need to use some sort of dead drop arrangement, like posting an image with a steganographically-imbedded message to usenet or a free webpage.

    Whining about the insecurity of POP3 (and SMTP) isn't a productive use of your time. Virtually every ISP in the world uses POP3/SMTP for email. It's insecure. Deal with it. If security matters, host your own Secure IMAP server and encrypt all your traffic. Your ISP isn't going to be changing it's email infrastructure any time soon. (Talk about a major tech support nightmare!) Sure, it would be nice if email had end-to-end encryption that is completely transparent to the end user, but that's not going to happen around any time soon. You've got to make do with the tools you have to work with.

  • You are making the all-too-common mistake of confusing the Java programming language with the Java Run-Time enviornment / virtual machine. They are totally seperate things.

    There is no reason why you cannot compile your Java language source code into native machine code for a specific architure / OS. Likewise, you could compile C/C++ source into Java byte codes and run it on any Java virtual machine.

    From my experience, Java programs compiled into native machine code have near-identical performance to C++ implementations of the same programs. You lose object-level portability by doing native compiliation, but you still have 100% source code compatibility; which is more than you can say for C (#ifdef, anyone?)

    Actually, for highly reliable system level programming, ADA is probably the best choice. It was specifically designed for safety and reliability - which is why it is the preferred language in the Avionics and Nuclear Power industries. Too bad that nobody outside those niches uses it.

  • Ok.. will someone explain to me how a #2 post can be "Redundant" when the first post was just a first post ?

    Geez moderators, browsing at "+2 newest first" isn't exactly bright.
  • so what is this like 4th r00t expliot from ssh? You would really think that people making an app to improve security would be more careful about this

    In C, it's very hard to get this right: just about every statement can lead to these kinds of problems: unchecked overflows, unchecked pointer dereferences, etc. People simply cannot handle that complexity and also get the code to work right. There are doubtlessly lots and lots of other problems like this in ssh, as well as most other Linux, UNIX, and Windows programs. (C++ lets you do a little better in principle, but the way most people use it, it's just as bad.)

    If you want to write code that doesn't suffer from these problems without spending many times as much time on trying to find such silly bugs compared to expressing the actual algorithm, use a language that has some built-in error checking. Java, Modula-2, Modula-3, Ada, Oberon, whatever.

    Clunky? Inconvenient? Not as many libraries available in those languages? All true. But that's because they aren't used enough, not because there is anything inherently wrong with them.

  • The present exploit has to do with unsafe languages in two ways. First, it allows an arithmetic operation to overflow without catching the error. Second, it allows an out-of-bounds memory reference based on that erroneous result. Any decent systems programming language with safety features should have caught both errors.

    C is a "good language for doing systems work" if safety, security, and correctness are not very high priorities and if your programs are reasonably small. That was true of the original UNIX system. It isn't true of something like SSH or other network services (security is of paramount importance) and it isn't true either of huge GUI applications (too many potential sources of errors to ever get something really reliable).

    (In theory, C++ could be a little better, but in practice, the way C++ is actually used, the same comments apply to C++.)

  • If you cvsup to FreeBSD 4.2 STABLE you will get OpenSSH 2.3 :) Ok, I know it's not a small step to cvsup from 3.x to 4.x, but it could be worth it in many different areas.
  • by Wakko Warner (324) on Friday February 09, 2001 @08:36AM (#443813) Homepage Journal
    I'm running 3.4-STABLE (yeah, I know, everyone and their dog keeps telling me to upgrade, but it works), and I basically had to rewrite ssh to get the fucking thing to compile, as it wouldn't compile from source.

    Go to the ports directory, you say. That doesn't compile either. the SSH2 port doesn't compile either! Neither will OpenSSH (it warns about remote root exploits, really helpful), and the latest maintained official ssh1 version is 1.2.27.

    I expect to find a lot of rootable old FreeBSD boxes out there. :(

    - A.P.

    --
    * CmdrTaco is an idiot.

  • by BlueLines (24753) <slashdot AT divisionbyzero DOT com> on Friday February 09, 2001 @01:18PM (#443814) Homepage
    Not true. There were two seperate vulnerabilites announced yesterday. The first just involves changing the static word16 to a static word32, but the second attack involved connecting many times to determine a session key. With the session key (and a sniffed session), one could decrypt the entire ssh session. Here's the patch for this on (for ssh-1.2.31 and below):

    --- rsaglue.c 1999/12/10 23:27:25 1.8
    +++ rsaglue.c 2001/02/03 09:42:05
    @@ -264,7 +268,15 @@
    mpz_clear(&aux);

    if (value[0] != 0 || value[1] != 2)
    - fatal("Bad result from rsa_private_decrypt");
    + {
    + static time_t last_kill_time = 0;
    + if (time(NULL) - last_kill_time > 60 && getppid() != 1)
    + {
    + last_kill_time = time(NULL);
    + kill(SIGALRM, getppid());
    + }
    + fatal("Bad result from rsa_private_decrypt");
    + }

    for (i = 2; i len && value[i]; i++)
    ;

    and here's the previously discussed patch:

    --- ssh-1.2.31/deattack.c-old Wed Feb 7 19:45:16 2001
    +++ ssh-1.2.31/deattack.c Wed Feb 7 19:54:11 2001
    @@ -79,7 +79,7 @@
    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
    {
    static word16 *h = (word16 *) NULL;
    - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

    Also, it should be pointed out that openssh-2.3.0 isn't supported on openBSD =2.6, so if you run an older openBSD, you either have to upgrade or switch to ssh.com's ssh....

  • by roca (43122) on Friday February 09, 2001 @08:00AM (#443815) Homepage
    You are wrong. The present exploit has everything to do with buffer overflows. In this case the "buffer" is a hash table; the exploit depends on writing data outside the bounds of the hash table, which would be caught by a safe language.
  • by CrayDrygu (56003) on Friday February 09, 2001 @06:53AM (#443816)
    I know, don't feed the trolls, but this one's just so obvious...

    1) This affects all common implementations, including the commercial one from SSH.com

    2) This doesn't affect OpenSSH 2.3.0, which is Open Source!

    Suck it.

    --

  • by MicroBerto (91055) on Friday February 09, 2001 @08:29AM (#443817)
    This is from the link on bindview:
    ** Vulnerable:
    SSH 1.2.x (ssh.com) -- all recent releases
    F-SECURE SSH 1.3.x -- all recent releases
    OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)
    OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH derived daemons

    ** Not vulnerable:

    SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable
    OpenSSH 2.3.0 (problem fixed)
    SSH1 releases prior to 1.2.24 (vulnerable to crc attacks)
    Cisco SSH (own implementation)
    LSH (SSH protocol 1 not supported)
    Now, are there any reasons NOT to be using OpenSSH? I've had 2.3.0+ for some time, and it seems to have a great track record!

    Mike Roberto
    - GAIM: MicroBerto
  • by fatphil (181876) on Friday February 09, 2001 @07:39AM (#443818) Homepage
    Indeed you're right.
    I find it odd that commercial companies, like our F-Secure, have been to tight to buy a copy of ProLint and run it, or have willfully ignored the warning messages that it would produce.
    The 10 commandments of C programming still hold true...

    FatPhil


    -- Real Men Don't Use Porn. -- Morality In Media Billboards
  • by Karma Sink (229208) <oakianus@fuckmicrosoft.com> on Friday February 09, 2001 @06:39AM (#443819) Homepage
    It's a race against the clock... All the Skript Kiddies who read /. settle in against all the sys admins... ready, set, go! Which one's easier to find, the patch, ot the 'Sploit? Hurry, hurry!!!
  • by BEHiker57W (253848) on Friday February 09, 2001 @09:40AM (#443820)
    Sure OpenSSH will protect you when you log into your *nix box. But what happens when you go to get your POP mail from your ISP? You send out your password in plaintext and then your mail is completely vulnerable. Does anyone make a mail server that encrypts with common clients?

    -Brian

  • by Ruzty (46204) <rusty@NospAM.mraz.org> on Friday February 09, 2001 @06:38AM (#443821) Journal
    You need to change a single variable declaration in one function and re-make. This is difficult to abuse and simple to correct.

    Refer to the article for the patch/change.
    -Rusty

  • by mkettler (6309) on Friday February 09, 2001 @06:50AM (#443822)
    I had similar troubles trying to compile OpenSSH on my linux box. Then I discovered they have a separate "portable" distribution for non OpenBSD boxes. I picked the portable one, ./cofigure; make; make install, done.

    The "standard" tarball linked under "getting source" on the OpenSSH page is for OpenBSD and does not have a configure script, just a installer.

    If you download OpenSSH for a non OpenBSD box, make sure you pick the portable version. (under operating systems click on your operating system, or go to: http://www.openssh.com/portable.html [openssh.com]).

  • by Multiple Sanchez (16336) on Friday February 09, 2001 @06:43AM (#443823)
    Script kiddie this, script kiddie that. I'm sick of it. I pay my taxes, I'm balding, I'm in serious debt to MasterCard... I'm a script adult.
  • by Saint Nobody (21391) on Friday February 09, 2001 @06:40AM (#443824) Homepage Journal

    there were arguments to switch to openssh before, but never one that was this practical in nature.

    the only downside of openssh that i've seen was that it was a pain to figure out which compile-time options i needed. make sure you know exactly how your passwords are stored on your box. once i had that figured out, i liked it better than i ever liked the commercial SSH.

  • by SpanishInquisition (127269) on Friday February 09, 2001 @06:33AM (#443825) Homepage Journal
    ...if we still used telnet.

  • by Xibby (232218) <zibby+slashdot@ringworld.org> on Friday February 09, 2001 @06:47AM (#443826) Homepage Journal
    Debian 2.2 OpenSSH package has allready been fixed. As usual, they have backported the fix to the version of ssh in stable (v1.2.3).

    Make sure you have the Debian security sources in /etc/apt/sources.list, then apt-get update && apt-get upgrade.

    deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free

    /usr/share/doc/ssh/changelog.Debian.gz
    openssh (1:1.2.3-9.2) stable; urgency=high
    * Non-maintainer upload by Security Team
    * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki)
    * Added modified build dependencies from unstable for convenience
    * Added patch that fixes an rsa key exchange problem made public by CORE SDI.

    -- Martin Schulze Thu, 8 Feb 2001 22:15:04 +0100

  • by Wills (242929) on Friday February 09, 2001 @11:46AM (#443827)

    What is it with caching contents of a POST method -- netscape picked up its cached version of my previous post...

    Last correction: patch < deattack.c.patch using the following text copied into deattack.c.patch

    --- deattack.c Wed May 12 12:19:25 1999
    +++ deattack.c.orig Fri Feb 9 20:00:21 2001
    @@ -79,7 +79,7 @@
    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
    {
    static word16 *h = (word16 *) NULL;
    - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...