Contributed by jose on from the busy-day-for-things dept.
cron writes: "The errata page is updated with the patch for pre OpenSSH 3.7."
And zeronetl writes: "Just finished upgrading to OpenSSH 3.7 and refreshed http://www.openssh.org/openbsd.html ..."
A second version of the buffer handling advisory is out, which includes patches to bring 3.7 up to 3.7.1, as well. Make sure you're upgraded and protected against this vulnerability.
(Comments are closed)
By RC () on
3.7.1>
Comments
By grey () on
Presumably, if and when an exploit does surface publically, it will employ techniques to circumvent propolice, W^X, and whatever other protections might potentially get in the way. If it doesn't, then either those protections are not applicable, or ineffective defense mechanisms against whatever this to-be-leaked/published happens to do.
Still need to wait and see.
Comments
By grey () on
By Anonymous Coward () on
Comments
By RC () on
http://www.deadly.org/article.php3?sid=20020826013453
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By RC () on
So, at the very least, it looks very likely that the portable version of OpenSSH has a root bug.
Comments
By pravus () on
By coward () on
OpenBSD doesn't have a security track record, individual pieces of it do (ditto for other OSs). When looked at it this way, you realize that what you claim as OpenBSD's is effectively that of OpenSSH which happens to be the same then for all other OSs using it making the whole 'mine is bigger than yours' claim meaningless. So much for why the 'Theo-haters' need not care about your petty claim. As for your insinuation about altering exploit dates to make it appear older than it is, no need to do that, there are enough hacklogs for a year at least that will prove it otherwise (should someone be actually that silly to release those too that is).
Comments
By Anonymous Coward () on
Hacklogs would certainly be interesting, but they seem to be as elusive as this exploit. If you are so sure there is an exploit that works against OpenBSD, and you aren't a 'Theo-hater', then give us the proof. I'll cheerful admit exploit-claiming-posters were giving a honest warning, as opposed to being a trolling pieces of shit. Mine money is on no such proof showing up 'soon', while the number of empty claims of an OpenBSD exploit will steadily increase.
Comments
By Anonymous Coward () on
Comments
By pravus () on
pure bunk. if there are other serious flaws in the system, get them public and get them fixed. there is absolutely no reason why anyone should keep this information private.
Comments
By Anonymous Coward () on
1. you work for a company/government agency and your contract/oath binds you to remain silent (potentially for life).
2. you are a blackhat and the last thing you want is such bugs go public and get fixed.
capito?
Comments
By gwyllion () on
Comments
By elguapo () on
Comments
By vincent- () on
how come they haven't developped a secure operating system yet, since they're so good with finding exploitation paths? (no sarcasm here, some publicly known techniques are incredibly clever, and I would guess the secret ones are even better)
or are they all running a mainstream OS with shitloads of patches in?
By Anonymous Coward () on
As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?
By chill () on
The "hack" was a previously unreleased but long-standing vuln in the deep heart of Solaris. It affected, if I remember correctly, at least 2.6 - 8.
IIRC, the vuln also allowed access to "Trusted Solaris" versions. PrivSep didn't help.
In short, this is one example of a root level vuln in what was thought to be, and if IIRC about the affect on Trusted Solaris, GOVERNMENT CERTIFIED secure systems, publically unknown yet exploited by the bad guys long before the light of day.
Comments
By gwyllion () on
Read http://lsd-pl.net/argus.html
Comments
By chill () on
From the Argus website... (http://www.argus-systems.com/events/infosec/)
LSD became aware of a vulnerability in x86 operating systems through a posting to the NetBSD advisory (that vulnerability was not discovered by LSD). LSD was able to use that vulnerability to create a kernel level vulnerability in the base Solaris x86 operating system that was running on the system that Argus had deployed for the hacking challenge. The vulnerability exploited by LSD relates specifically to operating system implementations supporting the x86 architecture. In addition to Solaris for x86, the vulnerability may affect other operating systems that support the x86 architecture. This vulnerability had not previously been posted on Solaris bug tracking web sites or mailing lists, and to the best of our knowledge no patch was or is presently available to correct this vulnerability.
By Anonymous Coward () on
Of course there are other O.S.'s with impressive security records, NetBSD doesn't even startup ssh by default, FreeBSD has some great security records as well, so do many linux distro's. I don't really kieep track of which O.S. has "the best record" I don't really care. I know how to admin a box and feel comfortable enough in my skills that I don't make a decision based on security track record. I do make a decision on what is best for the job at hand.
The thing about it is this. Theo and the group aren't taking over the world with damn OpenBSD. It's a pretty finite group of people running it, there might be a few thousand people running OpenBSD, lots of people in the I.T. industry aren't even aware that OpenBSD exists.
All that to say this. The claim is a relatively small thing in the overall scheme. There's no reward for finding a hole in OpenBSD, like some other apps....
By Anonymous Coward () on
Oh, bullshit. Damn stupid troll.
Either you've been overly selective or you're new here or you're just a freakin idiot. Most people here know Debian has had a good track record. Comparatively to the other Linuxes, the other free BSDs are better with their security concerns.
But to suggest with slight of hand that those OSs are as good as OBSD, you've got to be kidding. On the FreeBSD-announce list, there was a comment last year or so how they were going to break their security announcement record for bug fixes. Now, this isn't due to incompetency on their part and dependent heavily that they were preparing for or fixing a new release, but to say OBSD is at fault for somone else's lack of popularity in the security field, that's just silly.
"- i take it you're not a core OpenBSD developer either."
What's that have to do with it? You're saying pride is an anti-security measure? The developers know what they are talking about.
"What you don't see however is these systems bragging about it,"
Because they don't have the track record to prove it. Even bugtraq emails with comparative analysis to other OSs a couple of years back indicated OBSD was top notch. (The other OS was Apple's.) That was wholly independent of any core developer or the OBSD effort.
Even anecdotal studies where random bits of info is just thrown at code showed OBSD to be more stable under those conditions.
You sound like the whiny idiot that bitches about how some rich guy who bought a BMW is rubbing it in your face how rich he is because he drives his car to work.
btw, if you compare the OBSD developers and community to the Linux community, holy hell, the OBSD community pales in comparison to the flaunting over their code.
"and for that matter, the OpenBSD claim is wrong too (the claim is not consistent with reality, for example, they want a publicly released exploit before considering it as a 'remote hole in the default install' whereas nowhere does the claim state that condition)."
Uhh, this policy is well known. It's been discussed on public forums, in mailing lists, on the O'Reilly web pages....how much more public do you need it to be?
It's policy. If you don't understand that policy, you ask. If you don't receive clarification, that's a different matter, but you don't even ask.
And not mention, it's called common sense. I don't consider a hole in Win98 release to count as a bug if MS has a patch 6 months after release and an exploit is found 12 months later. One of the reasons why I think MS got a bad rap with slammer (in that instance) because they had a patch; people didn't update.
Such a policy is not only professional, it's sane. It's called a standard of claim. At least OBSD cares to have one.
"The only 'trolling' i've seen recently has all been questioning the effectiveness of certain 'new' OpenBSD developments, i have not seen a single technical (let alone correct) counter-argument to those, have you?"
Yes, because I actually read the posts.
"As for not giving out an exploit, have you considered that it may contain techniques that would highlight other, more general shortcomings in your system and therefore are not destined to see the light of the day just now? Or it may make use of another (or more) yet-to-be-discovered bugs that are better not made public?"
Ahh, yes. The standard claim of the "what if", "what do I have under the sheet" (don't worry, mine is larger than yours), the passing of the hand over the ouji board.
Sorry, magic tricks are for kids. You have revealed to me that you're utterly incompetent. You come off like a high schooler or someone with little real world experience.
Security is a concept which then is attempted to take form through procedure, policy, and execution. While it has real world impact, a near fundamental basic security understanding is that your system, no matter how secured, is at risk.
For you to wave your hands about the possiblities of something without substance means little. I too could complain that there is some security hole in Linux, FreeBSD, NetBSD, MacOS X, and XP because I *think* it's there.
And you know what? I'm probably right--there is probably one. You may be too. But until PROOF is given, it's a matter of conjecture and faith. Sorry, the latter I would prefer to hand over to those in philosophy and religion than debate on a computer forum.
In order to have a discussion, you need concrete fact. Evidence. Show me the money, fool. Anyone can point and say the sky is falling.
And you know what? Such code has yet to be shown.
So until you've seen that specialized code exploit, you're talking out of your ass with the suggestion of what *might* be there. Hell, there *might* be evidence of weapons of mass destruction embedded in the exploit code too. There *might* be an embedded binary pic of a georgeous girl that would blow your mind and make you go straight. There *might* be a code tidbit to end this discussion of whether there is such code makes OBSD rootable.
But until it is shown, in the security world, your paranoias are your own. Don't lay them on someone else.
Comments
By Dunceor () on
By Anonymous Coward () on
1. "Oh, bullshit. Damn stupid troll."
very intelligent, to the point, full of undeniable and verifiable facts. no. you my friend show the typical symptoms of the faithful OpenBSD follower. you provide no evidence to your claims (more below), you merely parrot what others have told you and that you blindly believed. those pesky beliefs, how dare they shatter!
would you show me the freakin' idiot why other systems are not as good as OpenBSD is (presumably you meant their security track record)? to make it an apples-to-apples comparison, take the same configuration of each (say that of the default install of OpenBSD) and show my why one is better than the other.
2. "but to say OBSD is at fault for somone else's lack of popularity in the security field, that's just silly"
who were you quoting there exactly? putting words into my mouth, eh? besides i'd like to see your FACTS that show the popularity of OpenBSD (and others' lack of it) in the 'security field' (whatever that means). extraordinary claims require extraordinary proof, right?
3. "You're saying pride is an anti-security measure? The developers know what they are talking about."
pride presumes something to be proud of, you have yet to show it exists (see above). and as for what the OpenBSD developers know... well, i've seen enough of it ;-), read last month's little thread on bugtraq to see how many times Theo was proven wrong. here's a new one though (before i get accused of not being technical enough): would you mind asking your all-knowing developers (i don't think you will even understand the question itself let alone be able to answer it) why the TSB had to be duplicated for the non-exec pages support on sparc (vs. merely the extra check in the ITLB load handler)? hint: it did not.
4. "the OBSD community pales in comparison to the flaunting over their [linux community's] code."
any evidence or have you just - as you put it yourself so politely - been talking out of your ass?
5. "how much more public do you need it to be"
uhm, how about putting it into the page making the claim itself? at least something like: 'x publicly known remote hole in the default install'? that's not so much to add, is it?
6. "If you don't receive clarification, that's a different matter, but you don't even ask."
talking out of your ass again or you know something i don't?
7. "I don't consider a hole in Win98 release to count as a bug if MS has a patch 6 months after release and an exploit is found 12 months later."
that's your personal preference, i don't think the rest of the world shares it with you (if you think they do, show the evidence). also would mind answering why the date of finding an exploit in the public matters? i mean, how does it make a bug/exploit any less dangerous? or are you telling me that just because the last public ssh exploit was released after the bug had been fixed ENSURES that noone in the world had had (let alone used) it before?
8. "Yes, because I actually read the posts."
me too, but i failed to find the content you did, care you be more explicit here? maybe we can finally discuss the technical details instead of your silly posturing.
9. "You have revealed to me that you're utterly incompetent."
i don't think i revealed much, at most asked questions that apparently had never crossed other people's mind - hardly my fault. also, where exactly lies my supposed incompetency and how did you manage to derive this from those two questions?
10. "But until PROOF is given, it's a matter of conjecture and faith. Sorry, the latter I would prefer to hand over to those in philosophy and religion than debate on a computer forum."
you may not realize let alone agree with it but this was actually the only sensible comment of yours here. and you know, you've made enough unsubstantiated statements yourself now that it's really high time you proved them, after all you wouldn't want us mere mortals take your words at face value (faith?) 'on a computer forum', would you?
11. "And you know what? Such code has yet to be shown."
correct/agreed, but you're wrong on "until it is shown, in the security world, your paranoias are your own". first, it's not my paranoia (because i know things, vs. you who doesn't yet know whether to believe them or not), second, in the 'security world' i know only the paranoid survives (to paraphrase Mr. Grove), the rest gets rooted, sooner than later. which group do you belong to? and how do you know? or all you have is faith that you do/do not [get rooted]...?
Comments
By Anonymous Coward () on
"Deadly DOT org troll was here!"
No, no, seriously, you should do that.
Comments
By Anonymous Coward () on
By norbert () on
Comments
By coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
ssh -V does the trick. if so, you are good to go.
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org
on I386...
gss-serv-krb5.o: Undefined symbol `_gss_krb5_copy_ccache' referenced from text segment
Work if i diable Kerberos5
-->#KERBEROS5=no make
Still have to try on my SPARC boxes to see if it's the same...
Comments
By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org
diable~=disable
By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net
"If you are installing OpenSSH 3.7.1 on OpenBSD 3.3 or older, you need the following patch:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd3x_3.7.1.patch."
Comments
By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org
I was thinking patch was only needed for <3.7
Thanks! 3.7
Comments
By Anonymous Coward () on
definately have to move to 3.4
By sequel () sequel@neofreak.org on mailto:sequel@neofreak.org
Surely you will tell me that it can compile without patch on CURRENT but...
Anyway the patch is named openbsd3x_3.7.1.patch so in theory it could apply to 3.4 as well...
By jose () on http://monkey.org/~jose/
Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/017_sshbuffer.patch
Patch for OpenBSD 3.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/004_sshbuffer.patch
The new version of the patch begins with the following line:
NOTE: this is the second revision of this patch
By Anonymous Coward () on
Comments
By lazy-bones () on
By tedu () on
Comments
By djm () on
Comments
By X () on
we wrote the exploit and it was only known to my girls...
By gwyllion () on
Comments
By Anonymous Coward () on
Comments
By gwyllion () on
Comments
By Anonymous Coward () on
course, im never gonna use my sploits on a live sys, cause I don't want to get found out
By Anonymous Coward () on
By lx () on
By Hagge () aliquis@link-net.org on mailto:aliquis@link-net.org
By gwyllion () on
Finally some real proof! I hope this gets reverse engineered quite fast, so we can know how the bug gets exploited. This exploits seems to exist since the beginning of august.
Comments
By gwyllion () on
Read http://marc.theaimsgroup.com/?l=full-disclosure&m=106393327727149&w=2
By Anonymous Coward () on
According to that advisory, even 3.7.1 is vulnerable. And not to just a Denial of Service, but a full-blown arbitrary code execution. Even the famous Solar Designer confirmed it and found 4 additional holes.
I'm not trying to fud about the crappyness of OpenSSH, unlike some other anonymous cowards, but that advisory scares the shit out of me.
Comments
By Matt () on
Comments
By gwyllion () on
2003/09/17 Package: openssh
SECURITY FIX Severity: medium, remote, active
Multiple memory management errors have been discovered in OpenSSH, and this update corrects 6 such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions. At this time, it is uncertain whether and which of these bugs are exploitable. If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account. Reference:
http://www.openssh.com/txt/buffer.adv
I included solar's patch in an email to bugs@openbsd.org: http://marc.theaimsgroup.com/?l=openbsd-bugs&m=106381378820034&w=2
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
Comments
By Anonymous Coward () on
Comments
By markus () on
http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000117.html
By gwyllion () on
http://marc.theaimsgroup.com/?l=full-disclosure&m=106397699029850&w=2
By Niklas () fagnik@spray.se on mailto:fagnik@spray.se
And only ssh was open to the world.
Of course I can't prove this, I don't have an exploit. I haven't asked my ISP for logs yet. And the only thing I can show is a _badly_ modified ssh client which I claim had to be modified between Sep 16 01:00 GMT+2 and 14:00 GMT+2.
Why? Because I run ssh regularly in my backup script and was working on it the evening/night before.
But I can't show anything except for a rooted 3.3 box.