OpenSSH Security Advisory (adv.channelalloc)
Dan Kaminsky
dan at doxpara.com
Fri Mar 9 20:39:02 EST 2001
> This bug can be exploited locally by an authenticated user
> logging into a vulnerable OpenSSH server or by a malicious
> SSH server attacking a vulnerable OpenSSH client.
OK, I must really be missing something.
Doesn't OpenSSH drop all privs long before either side gets the option to
open a corrupted channel?
If so, where's the route to sshd for a buffer overflow to exploit? The
closest I can come up with is in a setuid ssh client being poked,
X-Forwarding style, by a corrupted server...in which case, that's another
reason why ssh shouldn't be setuid by default.
Incidentally, *someone* has actually seen a working attack, right?
--Dan
More information about the openssh-unix-dev
mailing list