[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] openssh root exploit: RedHat 6.x

To: linux-security
Subject: Re: [linux-security] openssh root exploit: RedHat 6.x
From: Martin Siegert <siegert@sfu.ca>
Date: Sun, 10 Mar 2002 11:32:34 -0800
In-Reply-To: <20020308202436.A553@stikine.ucs.sfu.ca>; from siegert@sfu.ca on Fri, Mar 08, 2002 at 08:24:36PM -0800
References: <20020308202436.A553@stikine.ucs.sfu.ca>
User-Agent: Mutt/1.2.5.1i

On Fri, Mar 08, 2002 at 08:24:36PM -0800, Martin Siegert wrote:
> Topic
> =====
> local root exploit in openssh
> 
> Problem Description
> ===================
> There exists an off-by-one error in all versions of OpenSSH prior to
> version 3.1. This could allow an authenticated user to cause sshd to corrupt
> its heap, potentially allowing arbitrary code to be executed on the remote
> server.  Alternatively, a malicious SSH server could be crafted to attack a
> vulnerable OpenSSH client.
> 
> It is not clear at this point whether a remote exploit is possible.
> 
> Affected Systems
> ================
> openssh versions x with 2.0 <= x < 3.1
> 
> Solution
> ========
> upgrade to openssh version 3.1p1
> 
> RedHat 6.x
> ----------
> RedHat 6.x did not come with openssh. As before I have recompiled the
> RedHat 7.0 source rpm for RedHat 6.x. You find these rpm packages in
> the /vol/vol1/distrib/redhat/6.2/contrib directory on sphinx.
> 
> rpm -Fvh openssh-3.1p1-1.i386.rpm \
>          openssh-clients-3.1p1-1.i386.rpm \
>          openssh-server-3.1p1-1.i386.rpm \
>          openssh-askpass-3.1p1-1.i386.rpm \
>          openssh-askpass-gnome-3.1p1-1.i386.rpm

These packages listed above for RedHat 6.x do not work, if you need to
support protocol 1 of ssh (ssh-1). RedHat 6.x comes with openssl-0.95a
which seems to be incompatible with openssh-3.1p1 (despite a patch that
RedHat provides that was supposed to solve these problems - it doesn't).
Therefore, I have patched openssh-2.9p2-11.6.x (the previous version that
was provided in /vol/vol1/distrib/redhat/6.2/contrib on sphinx) against
this new root exploit and provide this patched version as openssh-2.9p2-12.6.x
in the 6.2/contrib directory. This version does provide working ssh-1
support for, e.g., TeraTerm/SSH and NiftyTelnet/SSH clients. If you need
that I recommend to install the patched 2.9p2 rpm packages. These packages
are patched against all known security exploits.

Upgrade information:

rpm -Fvh openssh-2.9p2-12.6.x.i386.rpm \
         openssh-clients-2.9p2-12.6.x.i386.rpm \
         openssh-server-2.9p2-12.6.x.i386.rpm \
         openssh-askpass-2.9p2-12.6.x.i386.rpm \
         openssh-askpass-gnome-2.9p2-12.6.x.i386.rpm

If you have already installed the buggy 3.1p1 packages, you must force the
"upgrade". First find all the openssh packages that you have installed:

rpm -qa | grep openssh

Then install only those packages that were listed by that command, e.g.,

rpm -Uvh --force openssh-2.9p2-12.6.x.i386.rpm \
                 openssh-clients-2.9p2-12.6.x.i386.rpm \
                 openssh-server-2.9p2-12.6.x.i386.rpm

References:
- [linux-security] openssh root exploit
  - From: Martin Siegert <siegert@sfu.ca>
- [linux-security] openssh root exploit
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] openssh root exploit
Next by Date: [linux-security] ALERT: zlib double free bug
Prev by thread: [linux-security] openssh root exploit
Next by thread: [linux-security] check-rpms update
Index(es):
- Date
- Thread