[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] openssh root exploit

To: linux-security
Subject: [linux-security] openssh root exploit
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 8 Mar 2002 20:24:36 -0800
User-Agent: Mutt/1.2.5.1i

Topic
=====
local root exploit in openssh

Problem Description
===================
There exists an off-by-one error in all versions of OpenSSH prior to
version 3.1. This could allow an authenticated user to cause sshd to corrupt
its heap, potentially allowing arbitrary code to be executed on the remote
server.  Alternatively, a malicious SSH server could be crafted to attack a
vulnerable OpenSSH client.

It is not clear at this point whether a remote exploit is possible.

Affected Systems
================
openssh versions x with 2.0 <= x < 3.1

Solution
========
upgrade to openssh version 3.1p1

RedHat 6.x
----------
RedHat 6.x did not come with openssh. As before I have recompiled the
RedHat 7.0 source rpm for RedHat 6.x. You find these rpm packages in
the /vol/vol1/distrib/redhat/6.2/contrib directory on sphinx.

rpm -Fvh openssh-3.1p1-1.i386.rpm \
         openssh-clients-3.1p1-1.i386.rpm \
         openssh-server-3.1p1-1.i386.rpm \
         openssh-askpass-3.1p1-1.i386.rpm \
         openssh-askpass-gnome-3.1p1-1.i386.rpm

RedHat 7.0, 7.1
---------------
rpm -Fvh openssh-3.1p1-1.i386.rpm \
         openssh-clients-3.1p1-1.i386.rpm \
         openssh-server-3.1p1-1.i386.rpm \
         openssh-askpass-3.1p1-1.i386.rpm \
         openssh-askpass-gnome-3.1p1-1.i386.rpm

RedHat 7.2
----------
rpm -Fvh openssh-3.1p1-2.i386.rpm \
         openssh-clients-3.1p1-2.i386.rpm \
         openssh-server-3.1p1-2.i386.rpm \
         openssh-askpass-3.1p1-2.i386.rpm \
         openssh-askpass-gnome-3.1p1-2.i386.rpm

Debian 2.2 (potato)
-------------------
Debian 2.2 shipped with openssh-1.2.3, which is not vulnerable.
(however, there are security issues with the ssh-1 protocol. Thus you may
want to upgrade to a more recent version of openssh nevertheless).
Debian unstable and testing users shoudl upgrade to version 3.0.2p1-8,
which is patched.

Mandrake 7.1
------------
rpm -Fvh openssh-3.0.2p1-1.7mdk.i586.rpm \
         openssh-clients-3.0.2p1-1.7mdk.i586.rpm \
         openssh-server-3.0.2p1-1.7mdk.i586.rpm \
         openssh-askpass-3.0.2p1-1.7mdk.i586.rpm \
         openssh-askpass-gnome-3.0.2p1-1.7mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh openssh-3.0.2p1-1.6mdk.i586.rpm \
         openssh-clients-3.0.2p1-1.6mdk.i586.rpm \
         openssh-server-3.0.2p1-1.6mdk.i586.rpm \
         openssh-askpass-3.0.2p1-1.6mdk.i586.rpm \
         openssh-askpass-gnome-3.0.2p1-1.6mdk.i586.rpm

Mandrake 8.x
------------
rpm -Fvh openssh-3.1p1-1.1mdk.i586.rpm \
         openssh-clients-3.1p1-1.1mdk.i586.rpm \
         openssh-server-3.1p1-1.1mdk.i586.rpm \
         openssh-askpass-3.1p1-1.1mdk.i586.rpm \
         openssh-askpass-gnome-3.1p1-1.1mdk.i586.rpm

Follow-Ups:
- Re: [linux-security] openssh root exploit: RedHat 6.x
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] check-rpms update
Next by Date: Re: [linux-security] openssh root exploit: RedHat 6.x
Prev by thread: Re: [linux-security] ALERT: zlib double free bug (Debian)
Next by thread: Re: [linux-security] openssh root exploit: RedHat 6.x
Index(es):
- Date
- Thread