[lug] SSH Vulnerability

D. Stimits stimits at idcomm.com
Mon Feb 12 13:34:36 MST 2001 

This is another mysterious failure message. I don't know what part got
through to where. It seems somewhat like mail sent from BLUG that
bounces going to an individual is being sent to me as well. Very
strange.


postmaster at mail.penton.com wrote:
> 
> Delivery Failure Report
> 
>  Your          Re: [lug] SSH Vulnerability
>  document:
> 
>  was not       pjanett at healthwell.com
>  delivered to:
> 
>  because:      Host connect failed - destination host not responding
> 
> 
>    SFA_Notes4/Penton, SFA_Notes4/Penton, SFA_Notes4/Penton.mail.penton.com(SMTP,
>    SFA_Notes4/Penton
> 
>                             ________________________
> 
> To:       lug at lug.boulder.co.us
> cc:
> From:     SFA_Notes4/Penton
> Date:     02/09/2001 11:29:03 PM GMT
> Subject:  Re: [lug] SSH Vulnerability
> 
> "Scott A. Herod" wrote:
> >
> > Hi Nate,
> >
> > Just saw that.  How does one interpret the patch by hand?
> >
> >   --- deattack.c.orig     Wed Feb  7 13:53:47 2001
> >   +++ deattack.c  Wed Feb  7 13:54:24 2001
> >   @@ -79,7 +79,7 @@
> >    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
> >    {
> >      static word16  *h = (word16 *) NULL;
> >   -  static word16   n = HASH_MINSIZE / HASH_ENTRYSIZE;
> >   +  static word32   n = HASH_MINSIZE / HASH_ENTRYSIZE;
> >      register word32 i, j;
> >      word32          l;
> >      register unsigned char *c;
> >
> > This means replace the "static word16" with "static word32", correct?
> >
> > Do you trust the razor.bindview.com website?  There's nothing so
> > far on www.cert.org or www.nipc.gov.
> >
> > Scott
> >
> > Nate Duehr wrote:
> > >
> > > Slashdot and other sources are reporting that there is a new published
> > > exploit for pretty much all versions of SSH, not including OpenSSH
> > > 2.4.0.
> > >
> > > The page below also details various vendor responses with F-Secure being
> > > the worst.  (No response at all so far back to the reporting party.)
> > >
> > > Here's the people reporting it:
> > >
> > > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> > >
> > > --
> > > Nate Duehr <nate at natetech.com>
> 
> FYI, I looked at the deattack.c patch posted at:
> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> 
> And compared one portion of that file (deattack.c) to the "portable"
> source distributed at a USA mirror listed by www.openssh.org, and found
> one of the patch changes had been applied (for version 2.3.0p1). I did
> not check if all changes listed were applied, but the 2.3.0p1 that I
> have does use at least part of the patch listed. So at least some
> portion of this published patch is accepted for 2.3.0p1.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list