OpenSSH Security Advisory (adv.channelalloc)

Dan Kaminsky dan at
Fri Mar 9 20:39:02 EST 2001

>         This bug can be exploited locally by an authenticated user
>         logging into a vulnerable OpenSSH server or by a malicious
>         SSH server attacking a vulnerable OpenSSH client.

OK, I must really be missing something.

Doesn't OpenSSH drop all privs long before either side gets the option to
open a corrupted channel?

If so, where's the route to sshd for a buffer overflow to exploit?  The
closest I can come up with is in a setuid ssh client being poked,
X-Forwarding style, by a corrupted which case, that's another
reason why ssh shouldn't be setuid by default.

Incidentally, *someone* has actually seen a working attack, right?


More information about the openssh-unix-dev mailing list