Possible root-exploit in openssh?
Fredrik Hultkrantz
fjutt at blink.se
Thu Nov 29 02:47:07 EST 2001
Hello...
I am a student at Göteborgs university who is the system adminstrator in
one of the student clubs here. We run about 10 computers with one server.
Mainly linux and all run openssh. We have closed telnet so only
ssh-connections is allowed.
Last night i got a mail from one of the system adminstrators at Göteborgs
university saying that there was a possible root exploit in all openssh
versions from 2.9.9p2 and below. Shortly after this the universty closed
all connections using port 22 (that is how serious they think it is)
effectivly making all the machines I am responsible for unable to log on
to from the outside.
They have looked at the exploit and i'll try to sum it up here.
-----------------------
The program is 1.2 MB and is crypted. It gives you a root shell but
doesn't seem to do anything stupid. 1.2 MB is a lot of data though...
Using strace/truss/gdb etc doesn't result in anything useful so it is a
bit hard to say what it really is doing.
They have confirmed that :
Fsecure
1.2.xx
2.x.xx
3.0.x
and
Openssh
1.x
2.9p1
2.9.9p2
is vulnerable. Openssh 3.0.1p1 doesn't seem to be vulnerable though.
It is called x2 (at least by the people i have talked to).
It doesn't seem to be the crc-bu but more somwthing in the line of a
buffer overrun during the handshake
How to run it?
x2 -t1 ip port
x2 -t2 ip port
x2 -t3 ip port
If it asks for a password just:
cat key.txt
---------------------------
I have searched all the mailinglists but have not been able to find
anything linked to this (if i missed something please redirect me).
All the data above is NOT tested by me but by other people at the
university. I have the exploit (I have not tested it myself though) and
can send it for further testing to you if you ask me.
Is this a known exploit? Does I miss something?
If I did something wrong mailing this mail don't be offended and please
tell me how to correct it (it is my first post to this mailing-list)
Thanks a lot for a great program
Fjutt
More information about the openssh-unix-dev
mailing list