New ssh Exploit in the Wild

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

Uh oh

[Anonymous Coward]

Best patch and upgr..&*[NO CARRIER]

Another place to find the patch/bug advisory

[vt0asta]

http://www.securityfocus.com/archive/1/337662/2003 -09-13/2003-09-19/0 [securityfocus.com]

Re:Uh oh - no funny

[theLOUDroom]

Yeah those "NO CARRIER" jokes just aren't fun@~%4!.z^%r#$% NO CARRIER

See this comment for BSD patch and info

[setzman]

http://slashdot.org/comments.pl?sid=78698&cid=6974 742 [slashdot.org]

Re:See this comment for BSD patch and info

[ChiefArcher]

I just made RH9/8/7.3 RPMS
since RH hasn't released any yet...
it's backported from the 9.0 update ssh SRPM.

my bandwidth is VERY limited... so AIM ME at "Swell500" and i'll send ya a link to grab them until RH releases official patches.

ChiefArcher

Re:See this comment for BSD patch and info

[Kingpin]

Your intentions are probably noble, but why should I trust you? Would you trust "you"?

Trust me... View the srpm

[ChiefArcher]

I've released the SOURCE RPM...
you can always grab it and see for yourself..
I only changed buffer.c

Feel free to see for yourself..

I had to make all of these this morning to patch our systems..

ChiefArcher

Re:See this comment for BSD patch and info

[corz]

This is going to probably cost me a lot of money in bandwidth charges... but what the hell.

I've packaged up rpm's (minus the x11-askpass stuff) for Red Hat 7.2 and 7.3. You can download the packages at http://projects.standblue.net/rpms/openssh/3.7p1/

Re:See this comment for BSD patch and info

[1010011010]

Here's a (T1-hosted, be nice) mirror of his packages: http://www.flyingbuttmonkeys.com/ssh/ [flyingbuttmonkeys.com]

Please take only the package you need.

intentions are noble and MIRROR now

[ChiefArcher]

you have an email address to...
and a resume www.briangannon.com
and the Source RPMS.

http://stradlin.com/ssh [stradlin.com]
if you do a diff on the sources, you will see I only edited buffer.c
my intentions are completely noble.
How can you really trust Redhat? One of the disgruntled developers could put a backdoor in a patch?

ChiefArcher

Questions.

[grub]

I have to wonder if UsePrivilegeSeparation was enabled. (see the manpage [openbsd.org])

One message in the thread indicates it is but this isn't first-hand knowledge. If PrivSep was enabled then is OpenBSD immune to this attack due to other parts of the OS being hardened (much like the zlib hole a few months back)? Also are these default installations or are they "tweaked"? As an aside, PermitRootLogin defaults to enabled, something I always disable as I have no need for it.

Even if this does count as a new remote hole in OpenBSD, it's still a phenomenal track record they can be proud of.

Re:Questions.

[ndogg]

Good.

That means that Debian's default configuration for sshd is also secure.

CRAP!

[code shady]

Looks like its time to turn the port forwarding on my router off, and wait for apple to provide a patch.
The advisory itself says The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH. So i'm going to assume that OS X is affected as well.

Re:CRAP!

[caluml]

Good point. Something like:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW --limit 5/min --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP ...might do the trick of slowing them down. Mind you, you wouldn't be able to get a connection either if they were attacking your box

Public Service

[Morologous]

Posting this to slashdot is actually a public service, as the exploit description will be /.'d and unable to effectively be disseminated to the bad actors.

Patch

[Karamchand]

Link to a patch [theaimsgroup.com].

Full Disclosure

[Anonymous Coward]

[Full-Disclosure] new ssh exploit?
christopher neitzert chris@neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh
2. add explicit rules to your edge devices allowing ssh from only-known
hosts.
3. put ssh behind a VPN on RFC-1918 space.

On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> Does anyone know of or have source related to a new, and unpublished ssh
> exploit? An ISP I work with has filtered all SSH connections due to
> several root level incidents involving ssh. Any information is
> appreciated.

The "Full Disclosure" message is stupid

[JoeBuck]

It appears that the OpenSSH people found this bug first, and released a fix in version 3.7. People who studied this fix then found the exploit. So it's stupid for this guy to tell people "upgrade to lsh", since the whole reason his buds know about this bug is because 3.7 fixes it.

Debian?

[bahamat]

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

Odd. I run Debian on all of my systems and PermitRootLogin is set to no on all of them. Sarge and Sid also have UsePrivilegeSeparation set to yes by default.

Telnet

[Henry V .009]

Thank god I'm using something secure like Telnet instead.

Re:Telnet

[fliplap]

too bad you're running a stock Solaris installation!

Re:Telnet

[dasunt]

Of course, if you used telnetd-ssl, you might be correct. :)

[ Caveat: Haven't been following the security problems with telnetd-ssl ]

Nothing confirmed so far...

[ferratus]

Reading the mailing list, it appears that there's nothing confirmed so far. Let's hope its just a false rumour.

There's only one guy that says it its ISP has blocked all incoming SSH connection due to "several root level incidents".

One guy did say that there was a bug somewhere and that a patch existed...No one knows what patch or where it is though.

Let's hope to publish this one quickly before there's any ral damage done.

Wrapping defense

[secolactico]

Won't having the sshd wrapped (/etc/hosts.allow, /etc/hosts.deny) help offset the damage somewhat?

Re:Wrapping defense

[Minna Kirai]

That's a partial defense, and relates to a suggestion made in the mailing list announcement of the vulnerability.

However, if you're a paranoid or pessimistic kind of person, you shouldn't rely on hosts.allow to protect you.

Assuming that your ISP is taken over (either by hackers, or the FBI), they can re-number any internet packets destined to you. The hosts_access system will have no way to tell that a datastream is from a spoofed source. The "source address" field of IP packets can be falsified, and th

It'll help, and also:

[TomatoMan]

you can restrict access in your /etc/sshd_config (wherever you have it) like so until you can get the patched version, if you allow access from anywhere:

DenyUsers *
AllowUsers you@your_ip_address

(and restart sshd)

You can also firewall the port off. I've done a hodge-podge of these solutions on different systems I admin until I can actually get the 3.7p1 source from the mirrors (they dont' seem to have it yet).

Re:It'll help, and also:

[missing000]

That string won't work. (At least under RH9).

If you want to block all users but your list of allowed users, just use:

AllowUsers user1@users_ip_address user2@users_ip_address ... # To allow only by IP address

or AllowUsers user1 user2 ... # To allow from any IP

That DenyUsers string blocks your list of allowd no matter where you put it.

ERROR: MOD (my) PARENT DOWN, MOD THIS UP INSTEAD

[TomatoMan]

missing000's comment [slashdot.org] is quite correct, there's a mistake in my original post. Omit the DenyUsers line, it will override the AllowUsers line. Just use the AllowUsers line by itself.

Sorry.

AllowUsers you@your_ip_address

Remember, always test making a new ssh connection before logging out of your existing one, after restarting sshd.

Re:It'll help, and also:

[maiden_taiwan]

"AllowUsers you@your_ip_address" doesn't do what you might think it does. As written, it looks like it says something about a remote user. It doesn't.

It is better explained as "AllowUsers localAccount@remote_ip_address". It means: "Allow SSH connections from anybody at remote_ip_address to connect to localAccount." (Of course the remote user still must authenticate successfully.)

The syntax unfortunately looks like it specifies a remote user. It doesn't. It defines a relationship between a remote IP address and a local user.

Trust me, I wrote the book [snailbook.com]. :-)

Bits and pieces so far...

[Oestergaard]

Yes, there is a vuln. in 3.6. You need to upgrade to 3.7 which was released today, to be safe (well, 'safer' anyway).

It will be 3.7p1 for us non-OpenBSD people.

It is a patch to one file, buffer.c, which fixes some allocation/offset stuff.

It seems that privilege separation does *not* help here - so get them systems patched (and firewalled)!

Update for debian

[Oestergaard]

An updated ssh package just hit the Debian security mirrors.

For anyone running debian stable:
apt-get update
apt-get upgrade

Re:Update for debian

[bartman]

Debian is absolutely amazing.

bug 211205 [debian.org], which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.

Really good stuff.

Re:Update for debian

[Oestergaard]

It seems that you are right... Just one box. Impressive.

It's impressive in more ways than that - a quick nmap run shows that it has *heaps* of services running, freely available from the net. Among them, postgres, (some) named and SSH.

Apart from the single-point-of-failure problem, why on earth are we running updates from a machine with more holes than a swiss cheese?

Wouldn't it be pretty simple to find an exploit in one of the many services (I bet postgresql will have an overflow or two, having it avail

Re:Update for debian

[Oestergaard]

What? No!

vsftpd is defensible, given that it's an FTP server. And that's it.

Why do *I* need SSH, finger, DNS, PostgreSQL, ..., services from that machine? I don't!

If you telnet to a known postgresql server and send it 'asdf', it will reply with 'EFATAL 1: invalid length of startup packet'. When you telnet to security.debian.org on it's postgresql port, it responds with exactly the same message.

So, to answer the other poster: it pretty much looks like a postgresql server - and it sure didn't firewall

Re:Update for debian

[Ambassador Kosh]

Actually there is. http://incoming.debian.org Whenever there is a security exploit the odds are the fix is already in incoming right away. Otherwise that should go into sid in about 6 hours I think.

For i386 the exact link is http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.de b

For Gentoo

[jehreg]

Just go to your net-misc/openssh directory:

• cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
• emerge --update openssh

The emerge will fetch the file and complain that there is no digest.

• ebuild openssh-3.7_p1.ebuild digest
• emerge --update openssh

Just tested it here, worked fine.
Pat

Re:For Gentoo

[Synn]

No it does not just pretend.

It renames the gentoo ebuild, which uses it's own name to figure out what to fetch and install.

So basically a 3.7_p1 named ebuild goes out and fetches the new 3.7 openssh package, compiles it and installs it.

Mirror of the vulnerability description

[Oestergaard]

To be found at:
http://unthought.net/ssh-vuln.html [unthought.net]

Re:Mirror of the vulnerability description

[coyul]

The bug must center around this line:

/* Increase the size of the buffer and retry. */
buffer->alloc += len + 32768;

It looks like the problem here is that buffer->alloc (which presumably stores the size of the buffer) grows on every try, while the actual size of the buffer grows only on successful tries. So you could have a situation where, after a couple of tries, the buffer is 65536, but buffer->alloc is 98304. This could potentially cause another part of the program to run past the actual end of the buffer.

The patch addresses this by only updating buffer->alloc after the new memory has been successfully allocated.

Re:Mirror of the vulnerability description

[Eddie the Jedi]

Is fatal misnamed? Does it keep doing more stuff even though something really bad just happened? That would be really stupid

It kind of does. Seems that fatal() calls fatal_cleanup() [cf fatal.c], which runs thru a list of callback procedures before exiting. Somewhere in those callbacks the function buffer_free() [cf buffer.c] might be called on the offending buffer. That function does a memset(buffer->buf, 0, buffer->alloc), and there's your overrun.

QED.

Re:Mirror of the vulnerability description

[Aardpig]

Why are they bothering with proper cleanup? This is FATAL CONDITION! ABANDON SHIP!

Only guessing, but how about to ensure that the freed memory isn't handed over to a subsequently-run app, still stuffed full of cryptographically-sensitive information?

guess who

[dwakeman]

Damn trinity and her sshnuke...

This is precisely...

[devphil]

...why I always go back and add security holes to all of my programs. If some future (or current) anti-regime hacker needs to be able to break into a local power plant, I want to make sure my code can help!

[I considered signing this post "love, Theo" but then thought better of it.]

Suggestions for a newbie?

[johnny1111_23]

Am pretty new to Linux, and am currently running a Lindows 4.0 installation my dad put on my computer.

How worried should I really be about this? And what steps should I be taking (or ask dad to take)? Since I gather Lindows is similar to Debian, should I just look for a Debian tutorial?

Thanks in advance.

Re:Suggestions for a newbie?

[Abcd1234]

Simple question: If it's Lindows, a) is it running sshd in the first place? And if so, b) *why* is it running sshd, since, in my estimation, an average Lindows user probably doesn't need sshd running. Of course, if you don't need sshd (since you don't access your box remotely), the obvious thing to do is kill and uninstall it (apt-get remove sshd), since it's just one more thing that could have a remote exploit in it.

Now, if you feel you need sshd, but can go without for a while, uninstall sshd in the short term and wait for an upgrade for your OS, at which point you can safely reinstall (it's a simple "apt-get install sshd").

Re:Suggestions for a newbie?

[The Grey Mouser]

How worried should I really be about this? And what steps should I be taking (or ask dad to take)? Since I gather Lindows is similar to Debian, should I just look for a Debian tutorial?


If you don't log on to your computer from another machine at school or wherever, then the safest thing would be to ensure that the ssh daemon is disabled. You can test this by just trying a "ssh localhost" at a command prompt. If you get a "Connection Refused" message, you're probably fine. To make sure, try executing "/et

WOW!!

[narratorDan]

I just read all these replies (about 15 right now) and all of them are nice and respectfull of the fact that this guy is a newbie!
I must be on the wrong site.

NarratorDan

Re:Suggestions for a newbie?

[metamatic]

Something you seem to have missed is that Linux is open source, making it much easier to find exploitable holes. Imagine how many exploits would be uncovered in Windows if we could read the source code.

In fact, you don't need to imagine it. Microsoft are on the record as stating that it's one of the reasons why they can't possibly reveal Windows source mode widely [eweek.com].

Re:Suggestions for a newbie?

[blazerw11]

There's a difference between getting your site hacked because your ISP forces you to use FTP giving hackers clear text id/password combos to use and your computer being hacked because the software is buggy.

This open ssh bug is "believed" to be a vulnerability, but they didn't want to worry about trying to find out if it was. They found the bug in a code audit and fixed it. They weren't forced to reveal it because of a threat of bad publicity.

And finally:
With the report last week of Linux being the mos

Try looking around a bit...

[LittleLebowskiUrbanA]

This has already been posted and a fix (upgrade to 3.7) has been posted to www.deadly.org

GOOD!! Red Hat, fix your RPMs!!

[RedHat Rocky]

Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred [redhat.com] with their last patch!

Re:GOOD!! Red Hat, fix your RPMs!!

[opkool]

How to fix your RedHat box:

1.- Download the file openssh-3.7p1-1.src.rpm from any of the mirrors. For example:
ftp://ftp.easynet.be/openssh/portable/rp m/SRPMS/op enssh-3.7p1-1.src.rpm

2.- Build an .rpm for your RedHat Linux version:

# rpm --rebuild openssh-3.7p1-1.src.rpm

3.- Upgrade your OpenSSH packages:

# rpm -Fvh /usr/src/redhat/RPMS/i386/openssh-*.rpm

4.- Re-start your sshd daemon:

service sshd restart

5. Profit!^H^H^H^H^H errr, that's it.

Peace.

Re:GOOD!! Red Hat, fix your RPMs!!

[Zigg]

I think you mean:

Gentoo

emerge ssh

* GentooLamer has joined #gentoo
<GentooLamer> recompiling ssh right now, got some good pr0n to watch in the meantime
<fomit-instructions> yeah me too
<gcc-O9> I'm out of pr0n I compiled KDE last week

I saw this exploit used

[teamhasnoi]

I was at the local library, and some kids were on a computer, talking loudly. They seemed to be rather excited about something.

A librarian peeked around the corner to see where the noise was coming from, then put her finger to her lips and said, "Ssh!"

The kids ignored her and kept talking, completely and utterly exploiting the hole, and circumventing the 'Ssh'!

Never was I so frightened.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Mirror for mailing lists

[Doodhwala]

... can be found here http://archives.neohapsis.com/archives/fulldisclos ure/2003-q3/ [neohapsis.com]

OpenSSH 3.7 Release Announcement

[Tuck]

Rather than subject someone's server (like mine!) to a slashdotting, here's the full text of the announcement (slightly mangled to sneak past the lameness filter).

Subject: OpenSSH 3.7 released
Date: Tue, 16 Sep 2003 14:07:00 +0200
From: Markus Friedl
To: openssh-unix-dev _at_ mindrot.org

OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.

We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18

For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Security Changes:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.

OpenSSH 3.7 fixes this bug.

Changes since OpenSSH 3.6.1:

* The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.

* Rhosts authentication has been removed in ssh(1) and sshd(8).

* Changes in Kerberos support:

- KerberosV password support now uses a file cache instead of a memory cache.

- KerberosIV and AFS support has been removed.

- KerberosV support has been removed from SSH protocol 1.

- KerberosV password authentication support remains for SSH protocols 1 and 2.

- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.

* Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:

1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file

This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.

* SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).

* Removed implementation barriers to operation of SSH over SCTP.

* sftp(1) client can now transfer files with quote characters in their filenames.

* Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.

* Fix a number of memory leaks.

* Support for sending tty BREAK over SSH protocol 2.

* Workaround for other vendor bugs in KEX guess handling.

* Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).

* Automatic re-keying based on amount of data sent over connection.

* New AddressFamily option on client to select protocol to use (IPv4 or IPv6).

* Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.

* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.

* Portable OpenSSH:

- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.

- PAM support may now be enabled/disabled at runtime using the UsePAM directive.

- Many improvements to the OpenSC smartcard support.

- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in t

Right...

[guinsu]

As opposed to the lengths people will go to to damage Microsoft? But that's ok, right?

OpenSSH Security Advisory

[next_permutation]

An OpenSSH Security Advisory [openssh.com] was just posted about this.

Coincidence, Or...

[4of12]

So I hear about this ssh exploit the exact same day that my inbox has Markus Friedl's announcement of the release of OpenSSH 3.7.

Either someone on the ssh team is making money from new releases or some black hat, upon downloading 3.7 and seeing the exploit fixed, decided to strike while the iron was still hot (machines weren't yet upgraded).

Re:Coincidence, Or...

[s.d.]

Why the conspiracy theory? Why isn't it possible that the bug had been identified, the developers decided it was enough of a reason to push a new release, and when the new release is pushed, with the reason being b/c of a bug that may or may not be exploitable. Then unsubstantiated rumors of exploits start floating around b/c of this.

There isn't a grand conspiracy. It's just how people work. I person says something like, "So I heared that there is the possibility of an exploit due to a bug in OpenSSH t

Updating for Gentoo

[Synn]

If you don't want to wait for the official ebuild:

cd /usr/portage/net-misc/openssh/
cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
emerge -f openssh-3.7_p1.ebuild
ebuild openssh-3.7_p1.ebuild digest
emerge openssh-3.7_p1.ebuild

Re:Updating for Gentoo

[Aardpig]

If you don't want to wait for the official ebuild:

cd /usr/portage/net-misc/openssh/
cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
emerge -f openssh-3.7_p1.ebuild
ebuild openssh-3.7_p1.ebuild digest
emerge openssh-3.7_p1.ebuild

This will fail if you have kerberos support USE'd, with an error involving gssapi.h not being found. The solution? Replace the final line with this:

USE="-kerberos" emerge openssh-3.7_p1.ebuild

Why all the lsh plugs?

[kakos]

It seems to me that a package that goes through code security audits regularly and is actually finished is infinitely more secure than an incomplete package?

Why are there people suggesting to go from a secure package to an insecure one?

Redhat RPMs are available

[pollock]

Redhat has finally posted patched RPMS on their errata [redhat.com] pages. Scroll down and select your release.

Redhat Advisory RHSA-2003-279

[gunnarE]

Redhat just released an advisory with links to updated RPMS: RHSA-2003-279 [redhat.com]

FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

[dnaumov]

The FreeBSD team has released a related Security Advisory [freebsd.org] and issued patches for affected FreeBSD versions as well as OpenSSH in the ports tree.

Corrected:
2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)

iptables and ipchains scripts to limit SSH access

[getnuked]

If you can't get to an update for your distro, here is a quick and dirty script for both iptables and ipchains based machines to limit SSH access to only specific IPs (replace 1.2.3.4 with the address you want to connect from, add more lines to add more hosts) - of course these only apply to Linux based machines with either iptables or ipchains in the kernel or available as modules:

iptables:

#!/bin/sh

insmod iptables

iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4
iptables -A INPUT -j DROP -p tcp --destination-port 22
iptables -A INPUT -j DROP -p udp --destination-port 22

ipchains:

#!/bin/sh

insmod ipchains

ipchains -F input
ipchains -P input ACCEPT
ipchains -A input -j ACCEPT -p tcp --destination-port 22 -s 1.2.3.4
ipchains -A input -j DENY -p tcp --destination-port 22
ipchains -A input -j DENY -p udp --destination-port 22

Re:interesting comment on how to stop it...

[jsprat]

Before anyone "upgrades" to lsh, here's the README:

This directory contains snapshots of lsh development. lsh is a free
implementation of the ssh protocol.

lsh is far from finished; don't expect these snapshots to compile or
work, and even if they appear to work, beware that lsh currently does
*NOT* provide any security at all.

Re:interesting comment on how to stop it...

[andreas]

This is the README from 1998, talking about a beta version of lsh. Don't let age-old doumentation fool you.

lsh has grown mature since then, and has an excellent code quality. I recommend it. Any day over OpenSSH, after having looked at the code of both projects. Up-to-date documentation, as on the web page, or the README inside the tarball, doesn't contain the warning.

Fixed that ancient LSH README

[Anonymous Coward]

Ooops, I had totally forgotten about that old copy of the README file in the ftp archive. After it was pointed out to me in private mail, I've replaced it with the current README. /Niels (LSH author)

Re:interesting comment on how to stop it...

[Phaid]

Don't forget that compiling your own OpenSSH eeds the updated OpenSSL

Nope. You only need openssl-0.9.6 or later. See the INSTALL doc in the openssh 3.7p1 source.

Re:very early

[Qzukk]

There is a patch, but the server that the advisory referenced on the SANS posting is on went down hard while I was in the middle of getting the page, so I only managed to get part of it (thanks, slashdot!) The advisory also indicated that openSSH 3.7 isn't affected.

Re:very early

[NaugaHunter]

On the other hand, it's good to have the heads up if something might not be as secure as we think it is. This warning gives those who turn it on occasionally the knowledge they need to turn it off if not needed, and not just leave it on.

It also may give those who need it on something to watch for until a patch does come out.

Re:very early

[__past__]

Patches are already available, for example from the FreeBSD CVS web [freebsd.org]. Personally, I'd rather apply it now than waiting for a detailed analysis of the exploit...

Re:very early

[Kaa]

I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

Really?

How about hearing about it when you find your machines rooted?

Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

Re:very early

[s.d.]

Even though there is no patch available (yet)

There is a patch available, as well as it being fixed in 3.7, which was just released this morning. That's the point of all of this. The mention of the bug was in the 3.7 release notes, i believe.

Re:Is ths a hoax?

[technoid_]

You should note that comment came from Darren Reed (of IPFilter fame), who is not a fan of Theo. After the arguements over the IPFilter licensing, a comment like this coming from him doesn't suprise me at all.

technoid

Re:deceit

[agby]

They changed it from 0 to 1 when the last SSH vuln was disclosed. I see no reason that thye wouldn't do it this time. However, it's not afflicting OperBSD anyways...

And as comparison, how many patches do windows users normally need to install over the 'default install' to get it secure and close every hole in the default setup? Methinks slightly more than 1 or 2...

Re:deceit

[danormsby]

Ssh, don't tell anyone.

Re:deceit

[phliar]

This is a bug, not an exploit. There is no known exploit of this bug on OpenBSD. The message on the [Full-Disclosure] list only describes a Denial of Service attack -- flooding the target machines with connections is not ssh's problem.

Besides, what have they "swept under the carpet"? What do you mean "you have probably"?Just because you seem to have something personal with Theo going on, we're supposed to take your word for this "deceit"?

Re:deceit

[mkldev]

Having read the FreeBSD info on this bug, it looks like it isn't possible to exploit it, period.

OpenSSH refuses to allocate a buffer over a certain size, but doesn't set the buffer size value back to its previous value. When this occurs, OpenSSH immediately calls fatal() to clean up and exit. The connection is closed, and the buffer is not reused.

The problem is that the cleanup code will, in some cases, attempt to zero the block at the larger size, resulting in OpenSSH crashing.

Because no data other than zeroes is every written to this buffer after the failed allocation (unless the FreeBSD folks missed something), this bug cannot be exploited except as a denial-of-service attack unless combined with some other exploit that allowed you to overwrite the exception handling vectors and add arbitrary code (in which case, there are probably much easier ways to perform the exploit).

Re:deceit

[Anonymous Coward]

Amazing how a newsworthy point about a ssh bug becomes an attack on an entire operating system and/or person.

"Given that the default install has ssh turned on, will they change it to "two remote holes" ?"

Yes, if they confirm the exploit. They've changed this notice in the past. It went from 0 to 1.

"Lets make some noise and force Theo to finally update that!"

Why? Just to piss off the developers? The openssh code is open and subject to review by anyone.

I think since you didn't catch this bug, we shou

Re:deceit

[Tirel]

Is it? I've successfully exploited my sshd (thank God for easy filtering with PF!)

# dmesg | head -n2
OpenBSD 3.4-current (GENERIC) #62: Tue Sep 12 22:49:18 MDT 2003
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/co mpile/GENERIC

Re:MOD PARENT DOWN

[Syberghost]

A demonstration would be nice.

It'd serve you right if he gave you one. :-)

Re:deceit

[Bull999999]

When did they start putting mySQL in the Linux kernel?

Re:install base

[Minna Kirai]

What a troll. Aiming to trick mods into "Informative", I suppose.

Any "linux user" who has openssh open to the world is a huge dumbass. What part of "firewall rules" don't you understand?

How would you suggest it be configured then? Just turn off remote login entirely? Or what other "firewall rule" could help in this situation?

I assume you are suggesting that people only allow ssh access from a specific, previously-known host. That removes much of ssh's utility (no more checking your system from a laptop in the hotel room), and even that sacrifice is not enough to be protective!

An attacker sniffing packets at your ISP can learn exactly which addresses you accept ssh connections over. Then he can spoof from that same address, and go right through the firewall.

The only way to protect yourself from unwanted outside connections is with correct crypto code.

Re:install base

[ryanvm]

The only really secure server is buried in concrete, unlugged and at the bottom of the deepest trench in the ocean. It's *probably* secure there, but I wouldn't bet my life on it.

That's okay, I will.

I bet this guy's life that a server on the bottom of the ocean is secure.

Re:install base

[arkanes]

It all depends on whats going on. If it's just random messing around and automated scans and whatnot, of course it won't matter that much. But if you're in charge of something important, and someone is specifically targetting you, then you have to be aware of indirect attacks as well as direct ones. Maybe you're locked down as much as you can and you've got your hosts.allow set up correctly, but who knows if your immediate upstream router has unpatched Cisco firmware?

Re:OpenSSH is big and fat

[Tuck]

A significant number of changes in 3.7 are removals (Kerberos 4, Kerberos5 in SSH1, AFS, Rhosts auth). Most people agree that simplicity is a wonderful goal... until that means the dropping (or not including) the feature they need or want. Then simplicity versus functionality versus security becomes a balancing act.

To put the size comment in perspective (this is 3.7p1 on Linux/x86):
$ du -ks /usr/local/sbin/sshd /usr/local/bin/ssh
272 /usr/local/sbin/sshd
224 /usr/local/bin/ssh

Suggestions?

[devphil]

Now we have a big and fat tool that can do nearly everything,

That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.

Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.

It would have been a better idea to do a small diet and dis-integrate functions into different tools

Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?

Re:Great opportunity.

[Minna Kirai]

I'd love to see some network infrastructure servers done in Ada.

That's a good idea. Time for the Ada-zealots [adahome.com] to "put up or shut up". Those guys never seem to put out much code... and of course they become rarer every day. If their language was really more secure, correct, and easy (yes, they claim that!), then an sshd reimplementation would be a fine demonstration to prove it.

Re:Pot = Kettle = Black

[johnnyb]

None of the rants assumed it couldn't happen.

The nature of _my_ rants at least, include the following:

* UNIX does better at risk minimization (i.e. - chroot jails, more services running as unprivileged users, using processes rather than threads, etc)

* UNIX vulnerabilities are published quickly, and hotfixes are available quickly. In this case, we have a _potential_ vulnerability patched before anyone knows of any way to exploit it. In addition, it made frontpage Slashdot - everyone agrees it's a big deal. This is different from the MS attitude of "sweep it into the next service pack and noone will know".

* I have the source code to the patches, so I can validate whether or not the fix does indeed fix the problem it proposes to, and whether there will be any other impact caused by the patch.

* The patch doesn't require me to reboot anything - I can patch a running system and keep on trucking. Kernel patches should be the only thing that needs a reboot (and, when HURD gets mainstream, we won't even need to then).

* The source code is open to allow more scrutiny. Having the source code available still gives Linux users fewer security-incidents-per-feature than Microsoft while keeping their source closed. Ballmer, I believe, said under oath that giving out the source code to Windows publicly would be a threat to national security.

Nothing about the release of an exploit for Linux changes any of these issues.

Re:Pot = Kettle = Black

[ReelOddeeo]

Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.

The MS rants are well deserved.

While your statement about security bugs can happen on any platform is technically correct, unintended bugs are not the only thing that causes security problems. Both MS and *NIX can have unintentional bugs, which lead to security problems. In this case, MS should not be blamed for "insecure" code.

Where the MS rants are well deserved is when a system is insecure by design. It may not have been a design goal, but the design can still be insecure. Just one past example: IIS runs under the SYSTEM account. It is installed by default and turned on by default. These kinds of problems deserve to be ranted about, and MS deserves the resulting reputation. Apache may or may not be installed and/or turned on by default, depending on distribution, but even if it could be compromised, it runs as "nobody" or "wwwrun" or some other unprivileged account.

Re:Pot = Kettle = Black

[Bull999999]

I think that some people chose to bash Windows while others bash Microsoft as whole. For example, slammer is not a Windows vulnerability but it is a Microsoft product vulnerability. So while it is not fair to bash Windows for slammer, it is fair to bash Microsoft for slammer (esp. for their patch that negated the earlier patch). I guess it is all about how you word it.

Re:Can somebody enlighten me?

[Junta]

Easy, the buffer for a period of time is not as big as the struct indicates. So between the time the buffer size variable is set and the time the realloc is performed, there is a window of opportunity to fill that buffer beyond is alloced boundary if another process/thread goes to put stuff in that buffer at the wrong time.

Also, I'm not sure exactly how 'fatal' the fatal is in there, it could be that it breaks out of the function, but leaves the buffer size parameter at too large a value for the alloc in that buffer.

One or both of those problems is exploitable.

Re:Does this effect Cygwin???

[funkman]

You are already running windows. You have more serious problems.

Re:Ermm.. can anyone say "Microsoft"

[qtp]

It appears that *nix systems now have an exploit

Yep, *nix systems have exploits, and an hour or two turnaround between discovery and a fix. I'd like to see Microsoft match that.

"Linux has no exploits that need patching"

People who actually know Linux would never claim that there are no known exploits, just that the time-to-fix is much shorter and that applying these fixes to running systems is usually much easier (in most distributions) than in a Windows system (ie no reboot required, one location for all necessary fixes, better software package management, etc)

I use Linux and BSD at home, but manage Windows machines at work (I have no decision making power, I'm just a grunt) and I must say that Windows management is a royal pain in the ass. We've had no problems with the recent Windows viruses and worms, but I do spend an inordinate amount of time applying patches, rebooting machines, and checking that the new patches did not wipe out the old ones. I don't think that it is unreasonable for Microsoft's customers to demand better patch/upgrade management, a single location for updates to both applications, servers, and the OS, and a better method for confirming that the files included in a patch contain the all of the required fixes (for that file) even if they came from different departments at microsoft.

Re:Ermm.. can anyone say "Microsoft"

[Overly Critical Guy]

No, it would still be an ssh vulnerability.

Remember, we're supposed to seperate the OS and the apps that have the holes...remember?

Or are we still using the term "Windows hole" when referring to Outlook?

Re:Theo's "Pride"

[perry]

I'm on a couple of the lists that should have been informed. As one example, NetBSD's security officer has received no information from the openssh team at all. I'm unaware of other groups having received official word.

If you are aware of a security team that was informed officially, I'd be interested to hear about it.