[lug] Openssh exploit
Neal McBurnett
neal at bcn.boulder.co.us
Fri Mar 8 10:43:01 MST 2002
On Thu, Mar 07, 2002 at 10:42:48AM -0700, Scott A. Herod wrote:
> A root exploit to Openssh was just announced. www.openssh.org
> has new rpms. The exploit is reported as local only
>
> http://www.openbsd.org/advisories/ssh_channelalloc.txt
>
> Scott
This "remote" vs "local" distinction is confusing in this case.
The bottom line is that if someone has ssh access to any machine that
is connected, transitively over time, with your machine, your machine
could be at their disposal if they do a series of attacks.
Here is a better description:
Joost Pol discovered an off-by-one bug in a routine in the openssh
code for checking channel IDs. This bug can be exploited on the
remote side by an already authenticated user, qualifying this bug
as a local security vulnerability, and on the local side if a
malicious server attacks the connected client, qualifying this bug
as a remote vulnerability. If the error is being exploited, it
leads to arbitrary code execution in the process under attack
(either a local ssh client, attacking the userID of the client
user, or a remote secure shell daemon that has an authenticated
user session running, attacking the root account of the remote
system).
Please note that the possible attack scenario is different from
the usual attack scheme because "local vulnerability" refers to
the remote side and vice versa.
There is no temporary workaround for this bug. If you comply to
the following two conditions, the impact of the error is
considerably small:
1) You only connect to hosts that you consider fully trusted
and not compromised.
2) The users that connect to your servers are fully trusted
(the users have root access, for instance).
Neal McBurnett <neal at bcn.boulder.co.us>
http://bcn.boulder.co.us/~neal/
GPG/PGP signed and/or sealed mail encouraged. Keyid: 2C9EBA60
More information about the LUG
mailing list