[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linux-security] openssh root exploit: RedHat 6.x
On Fri, Mar 08, 2002 at 08:24:36PM -0800, Martin Siegert wrote:
> Topic
> =====
> local root exploit in openssh
>
> Problem Description
> ===================
> There exists an off-by-one error in all versions of OpenSSH prior to
> version 3.1. This could allow an authenticated user to cause sshd to corrupt
> its heap, potentially allowing arbitrary code to be executed on the remote
> server. Alternatively, a malicious SSH server could be crafted to attack a
> vulnerable OpenSSH client.
>
> It is not clear at this point whether a remote exploit is possible.
>
> Affected Systems
> ================
> openssh versions x with 2.0 <= x < 3.1
>
> Solution
> ========
> upgrade to openssh version 3.1p1
>
> RedHat 6.x
> ----------
> RedHat 6.x did not come with openssh. As before I have recompiled the
> RedHat 7.0 source rpm for RedHat 6.x. You find these rpm packages in
> the /vol/vol1/distrib/redhat/6.2/contrib directory on sphinx.
>
> rpm -Fvh openssh-3.1p1-1.i386.rpm \
> openssh-clients-3.1p1-1.i386.rpm \
> openssh-server-3.1p1-1.i386.rpm \
> openssh-askpass-3.1p1-1.i386.rpm \
> openssh-askpass-gnome-3.1p1-1.i386.rpm
These packages listed above for RedHat 6.x do not work, if you need to
support protocol 1 of ssh (ssh-1). RedHat 6.x comes with openssl-0.95a
which seems to be incompatible with openssh-3.1p1 (despite a patch that
RedHat provides that was supposed to solve these problems - it doesn't).
Therefore, I have patched openssh-2.9p2-11.6.x (the previous version that
was provided in /vol/vol1/distrib/redhat/6.2/contrib on sphinx) against
this new root exploit and provide this patched version as openssh-2.9p2-12.6.x
in the 6.2/contrib directory. This version does provide working ssh-1
support for, e.g., TeraTerm/SSH and NiftyTelnet/SSH clients. If you need
that I recommend to install the patched 2.9p2 rpm packages. These packages
are patched against all known security exploits.
Upgrade information:
rpm -Fvh openssh-2.9p2-12.6.x.i386.rpm \
openssh-clients-2.9p2-12.6.x.i386.rpm \
openssh-server-2.9p2-12.6.x.i386.rpm \
openssh-askpass-2.9p2-12.6.x.i386.rpm \
openssh-askpass-gnome-2.9p2-12.6.x.i386.rpm
If you have already installed the buggy 3.1p1 packages, you must force the
"upgrade". First find all the openssh packages that you have installed:
rpm -qa | grep openssh
Then install only those packages that were listed by that command, e.g.,
rpm -Uvh --force openssh-2.9p2-12.6.x.i386.rpm \
openssh-clients-2.9p2-12.6.x.i386.rpm \
openssh-server-2.9p2-12.6.x.i386.rpm