[ISN] SSH remote root exploit was released (fwd)

Dave Dittrich dittrich at cac.washington.edu
Wed Feb 21 11:17:44 PST 2001

FYI. Please update your SSH immediately, if you haven't done so

Dave Dittrich Computing & Communications
dittrich at cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Wed, 21 Feb 2001 03:34:15 -0600
Subject: [ISN] SSH remote root exploit was released
From: InfoSec News <isn at C4I.ORG>

---------- Forwarded message ----------
Date: Tue, 20 Feb 2001 11:48:39 -0800 (PST)
From: Tom Perrine <tep at SDSC.EDU>
To: sysadmin-L at ucsd.edu, probes-l at ucsd.edu, sdriw-announcements at sdriw.org,
outback2-admin at postal.sdsc.edu, Pat Wilson <paw at ucsd.edu>,
Brian Kantor <brian at ucsd.edu>
Subject: SSH remote root exploit was released


A claimed exploit for the long-rumored SSHD remote root exploit was
released on BUGTRAQ about an hour ago. This is the bug in deattack.c
that allowed a 16-bit numeric overflow :-) (Nobody could do anything
with 16 bits, could they? :-( )

There is followup dicussion that seems to indicate that this is a real

This was originally reported through various channels about 6-7 Feb,
and showed up on BUGTRAQ 8 Feb.

There is a claim that Earthlink was "seriously compromised", possibly
via this exploit. See http://www.cotse.com/2152001.html for details
(This was reported on ISN this morning.)

Try this URL for the BUGTRAQ summary:

BUGTRAQ claims that all these are vulnerable:

OpenSSH OpenSSH 2.2
OpenSSH OpenSSH 2.1.1
OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 1.2.3
OpenSSH OpenSSH 1.2.2
SSH Communications SSH 1.2.31
SSH Communications SSH 1.2.30
SSH Communications SSH 1.2.29
SSH Communications SSH 1.2.28
SSH Communications SSH 1.2.27
SSH Communications SSH 1.2.26
SSH Communications SSH 1.2.25
SSH Communications SSH 1.2.24

For SSH-1.2.27, the patch is in deattack.c:

*** deattack.c.orig Wed Feb 14 15:59:25 2001
- --- deattack.c Wed Feb 14 15:59:45 2001
*** 79,85 ****
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
static word16 *h = (word16 *) NULL;
! static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
register unsigned char *c;
- --- 79,85 ----
detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
static word16 *h = (word16 *) NULL;
! static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
word32 l;
register unsigned char *c;

Your mileage may vary. For repairs/workarounds other versions of SSH,
check the BUGTRAQ notice.

"Patch early, patch often."

- --tep

- --
Tom E. Perrine (tep at SDSC.EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000
"Libertarianism is what your mom taught you: 'Behave yourself
and don't hit your sister."' - Kenneth Bisson of Angola, Ind.

Version: 2.6.2
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface


The above message comes from the sdriw-announcements mailing list.
To stop receiving these mailings, send email to majordomo at sdriw.org
with the line "unsubscribe sdriw-announcements" as the first line
of the message.

ISN is hosted by SecurityFocus.com
To unsubscribe email LISTSERV at SecurityFocus.com with a message body of

More information about the Linux mailing list