Recent breakins / SSHD root hole?

nuuB _nuub at
Tue Jun 5 19:22:24 EST 2001

>> No, I don't think so. AFAIK that bug was fixed in 2.1.1, and
>> reportedly ran "OpenSSH 2.2".
> never had an insecure ssh, someone knew a password for an
>account and used that. Wichert.

Not if their issued statement reflects what actually happened:

"The ssh client at SourceForge had been compromised to log outgoing names and
passwords, so the cracker was thus able get a shell on  After
unsuccessfully attempting to get elevated privileges using an old installation
of Bugzilla on, [- here comes the important bit -] the cracker used
a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges."

I.e they only used an account to get local (non-root) access. The point here
was that after they had local access they rooted the box using "a weakness" in
the ssh server. I'm assuming this weakness is the CRC attack detector bug
mentioned previously in this thread. The released exploit requires a lot of
constants to be correct, and finding them requires you have more than half a
clue and some time to spare. If the sshd binary was readable, or came from a
known distributions it would be quite feasable to find the constants required.
Bruteforcing some of the constants is also quite fast with local access, and
due to the nature of the bug the server crashes before any logging takes place
(unless sshd was configured to log more than normal).


Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!

More information about the openssh-unix-dev mailing list