[lug] SSH Vulnerability
D. Stimits
stimits at idcomm.com
Fri Feb 9 11:27:27 MST 2001
"Scott A. Herod" wrote:
>
> Hi Nate,
>
> Just saw that. How does one interpret the patch by hand?
>
> --- deattack.c.orig Wed Feb 7 13:53:47 2001
> +++ deattack.c Wed Feb 7 13:54:24 2001
> @@ -79,7 +79,7 @@
> detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
> {
> static word16 *h = (word16 *) NULL;
> - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> register word32 i, j;
> word32 l;
> register unsigned char *c;
>
> This means replace the "static word16" with "static word32", correct?
I don't know if the fix is valid, but that is the meaning of the patch.
It is fairly typical to attack via overflow of some value, and
increasing the size of something to hold more is a typical workaround.
>
> Do you trust the razor.bindview.com website? There's nothing so
> far on www.cert.org or www.nipc.gov.
>
> Scott
>
> Nate Duehr wrote:
> >
> > Slashdot and other sources are reporting that there is a new published
> > exploit for pretty much all versions of SSH, not including OpenSSH
> > 2.4.0.
> >
> > The page below also details various vendor responses with F-Secure being
> > the worst. (No response at all so far back to the reporting party.)
> >
> > Here's the people reporting it:
> >
> > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> >
> > --
> > Nate Duehr <nate at natetech.com>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list