[ale] ssh help?

Michael H. Warfield mhw at wittsend.com
Mon Jan 18 16:43:20 EST 1999


Jim Kinney enscribed thusly:
> I noticed the remote ssh version is 1.2.22 . Try upgrading it to v 1.2.26
> with the patch for the rootshell-breakin problem added. Also double check
> that the newly installed sshd is running. 

	Please check your information...  While there was a problem
uncovered in ssh 1.2.26, it did not relate to the rootshell break-in.
A variety of sources have indicated the rootshell breakin was a password
lamousity (same root password on different systems, one of which got sniffed).
The ssh 1.2.26 buffer overflow problem had to do with kerberos support,
which most of us don't use anyways.  Rootshell originally claimed that the
intruders used ssh to gain access.  This was true.  The implications that
it was a vulnerability in ssh that was exploited was NOT true.  The
intruders had the root password.  Game over.

	Please be very careful about statements like "the patch for the
rootshell-breakin problem".  It causes needless confusion.

	This is the "official" statement from rooshell about the breakin and
about the ssh buffer overflow.  Note that the buffer overflow is in the client
code and would be difficult to exploit for breaking into a server.

] This morning SSH Communications Security LTD. released information about
] a buffer overflow in its ssh 1.2.26 client kerberos code. This
] came as quite a surprise after SSH was very bullish about there being no
] buffer overflows in their code. While it is VERY hard to exploit and
] only works under certain conditions, it is still a valid security hole.
] PLEASE REMEMBER, ROOTSHELL HAS NEVER STATED THAT THE BREAK-IN WE HAD WAS
] FROM A SECURITY HOLE IN SSH.  Anyone who believes otherwise has read too
] far into what we have said. 

	You will note that they are rather defensive and sensitive about
statements that they accused ssh of being the source of the breaking as
meaning there was an ssh exploit.  The attack used ssh the same way telnet
could be used if you had the password.  It was merely the connection, not
the source of the vulnerability.

	BTW...  They, rootshell, have also not acknowledged that it was
a sniffed password that burned them.  That information is derived from
other, outside, sources in the security community.

> James Kinney M.S.Physics		jkinney at emory.edu
> Educational Technology Specialist	404-727-4734
> Department of Physics Emory University	http://teller.physics.emory.edu

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!






More information about the Ale mailing list