[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] openssh root exploit



Topic
=====
local root exploit in openssh

Problem Description
===================
There exists an off-by-one error in all versions of OpenSSH prior to
version 3.1. This could allow an authenticated user to cause sshd to corrupt
its heap, potentially allowing arbitrary code to be executed on the remote
server.  Alternatively, a malicious SSH server could be crafted to attack a
vulnerable OpenSSH client.

It is not clear at this point whether a remote exploit is possible.

Affected Systems
================
openssh versions x with 2.0 <= x < 3.1

Solution
========
upgrade to openssh version 3.1p1

RedHat 6.x
----------
RedHat 6.x did not come with openssh. As before I have recompiled the
RedHat 7.0 source rpm for RedHat 6.x. You find these rpm packages in
the /vol/vol1/distrib/redhat/6.2/contrib directory on sphinx.

rpm -Fvh openssh-3.1p1-1.i386.rpm \
         openssh-clients-3.1p1-1.i386.rpm \
         openssh-server-3.1p1-1.i386.rpm \
         openssh-askpass-3.1p1-1.i386.rpm \
         openssh-askpass-gnome-3.1p1-1.i386.rpm

RedHat 7.0, 7.1
---------------
rpm -Fvh openssh-3.1p1-1.i386.rpm \
         openssh-clients-3.1p1-1.i386.rpm \
         openssh-server-3.1p1-1.i386.rpm \
         openssh-askpass-3.1p1-1.i386.rpm \
         openssh-askpass-gnome-3.1p1-1.i386.rpm

RedHat 7.2
----------
rpm -Fvh openssh-3.1p1-2.i386.rpm \
         openssh-clients-3.1p1-2.i386.rpm \
         openssh-server-3.1p1-2.i386.rpm \
         openssh-askpass-3.1p1-2.i386.rpm \
         openssh-askpass-gnome-3.1p1-2.i386.rpm

Debian 2.2 (potato)
-------------------
Debian 2.2 shipped with openssh-1.2.3, which is not vulnerable.
(however, there are security issues with the ssh-1 protocol. Thus you may
want to upgrade to a more recent version of openssh nevertheless).
Debian unstable and testing users shoudl upgrade to version 3.0.2p1-8,
which is patched.

Mandrake 7.1
------------
rpm -Fvh openssh-3.0.2p1-1.7mdk.i586.rpm \
         openssh-clients-3.0.2p1-1.7mdk.i586.rpm \
         openssh-server-3.0.2p1-1.7mdk.i586.rpm \
         openssh-askpass-3.0.2p1-1.7mdk.i586.rpm \
         openssh-askpass-gnome-3.0.2p1-1.7mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh openssh-3.0.2p1-1.6mdk.i586.rpm \
         openssh-clients-3.0.2p1-1.6mdk.i586.rpm \
         openssh-server-3.0.2p1-1.6mdk.i586.rpm \
         openssh-askpass-3.0.2p1-1.6mdk.i586.rpm \
         openssh-askpass-gnome-3.0.2p1-1.6mdk.i586.rpm

Mandrake 8.x
------------
rpm -Fvh openssh-3.1p1-1.1mdk.i586.rpm \
         openssh-clients-3.1p1-1.1mdk.i586.rpm \
         openssh-server-3.1p1-1.1mdk.i586.rpm \
         openssh-askpass-3.1p1-1.1mdk.i586.rpm \
         openssh-askpass-gnome-3.1p1-1.1mdk.i586.rpm