Recent breakins / SSHD root hole?

nuuB _nuub at yahoo.com
Sat Jun 2 19:26:38 EST 2001 

The trojaned ssh client is nothing new to the hacker community, and the
statement in the previous thread claiming

"This type of man-in-the-middle attack (trojaned ssh) is not theoretical
anymore, and password authentication is broken."

is an example of how many poeple still think "hacking" is something very
difficult and nothing short of a genius is required to make the transition from
theoretical to practical. It is probably the medias fault that these
misconeptions are so widely spread. In this case it is just a matter of
extending the program to do a small task besides the regular tasks (i.e to save
all passwords entered in a file). The patch is probably about 10 to 15 lines of
code, and was done in 10 minutes. Not that the cracker would have to have
written it himself - there has been patches for ssh backdoors in wide
circulation since ssh came out. "Password authentication" has probably been
"broken" since it was first introduced. I am quite sure that the hackers back
at M.I.T knew how to trojan their telnet clients.

But I digress. The reason for this post something mentioned in the apache.org
statement:

"The ssh client at SourceForge had been compromised to log outgoing names and
passwords, so the cracker was thus able get a shell on apache.org.  After
unsuccessfully attempting to get elevated privileges using an old installation
of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon
(OpenSSH 2.2) to gain root privileges."

Trojaned ssh clients is nothing new. But what about this "weakness" in the
daemon that was used to gain root privileges? What is it about? Has it been
fixed in later versions? Is it remotely exploitable (doesn't sound likely, as
then the cracker wouldn't have had gone through the trouble to sniff a valid
password on sourceforge - unless this particular hole requires a valid
user/pasword pair).

Basically what I'd like to know is: What version of the OpenSSH daemon would I
need to run in order NOT to be vulnerable to this "weakness"?

nuuB


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

More information about the openssh-unix-dev mailing list