New SSH exploit in the wild?

[catch]

Is this something to be concerned about in a Win or NT environment?

No, NT features device aware access controls so even if a remote user is able to access the Admin account (for example) their permissions will be different than an Admin user connecting locally or via a trusted path. (the specifics of this are well off the subject so PM me if you'd like more information.)

I think exploits like this will continually be a threat to UN*Xland until a more workable PAM is developed (since root ain't going away anytime soon) that could effectively deligate out privileges incrementally. Yeah it would be more of a pain, but really how often do you need more than one or two of root's privileges sets in a single session?

The other solution is a very small and I mean _very small_ serivce that only handles a predefined set of root tasks. This would limit the potential for abuse, but still fails to adequently resolve the issue of trust. Perhaps if it dumped the task into a que with a 15 minute propigation delay and perhaps 5 additional minutes per task, this would make it exceptionally difficult to exploit effectively.

Lots of possibilities, but until some reigns are put on root, at least remotely this issues will constantly be lurking around ever corner and patching isn't gonna make them go away.

catch

[seabass55]

Any ofcourse lets not forget redhat
https://rhn.redhat.com/errata/RHSA-2003-279.html

Patch up!

[NullDevice]

Mandrake Updates Check here : http://www.mandrakesecure.net/en/adv...MDKSA-2003:090

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package(s) from one of their FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

[Phat_Penguin]

Slackware has released an update too - now on all the major mirrors ....

Oh the joy of the *nix community .... quick to jump on the bugs and squash them before they become a plague

[Guus]

Beware! There's another bug found in OpenSSH. You'll have to update to 3.7.1 (just 3.7 won't do). Read the advisory here: http://www.openssh.org/txt/buffer.adv

[catch]

"Oh the joy of the *nix community .... quick to jump on the bugs and squash them before they become a plague"

Shouldn't that read: "Oh the joy of the *nix community .... always treating just the symptom"? (Not that Windows is any better, ah the joys of COTS operating systems.)

catch

[ammo]

Originally posted here by Guus
Beware! There's another bug found in OpenSSH. You'll have to update to 3.7.1 (just 3.7 won't do). Read the advisory here: http://www.openssh.org/txt/buffer.adv

(http://www.antionline.com/showthread...hreadid=248600)

[tampabay420]

To: BugTraq
Subject: Portable OpenSSH 3.7.1p2 released
Date: Sep 23 2003 12:39PM
Author: Damien Miller <djm cvs openbsd org>
Message-ID: <200309231239.h8NCdocm023804@cvs.openbsd.org>


Portable OpenSSH 3.7.1p2 has just been released. It will be available
from the mirrors listed at http://www.openssh.com/portable.html shortly.

Please note that this is a release to address issues in the portable
version only. The items mentioned below do not affect the OpenBSD
version.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support to the project, especially those who contributed source and
bought T-shirts or posters.

We have a new design of T-shirt available, more info on
http://www.openbsd.org/tshirts.html#18

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Security Changes:
=================

Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM authentication code. At least one of
these bugs is remotely exploitable (under a non-standard
configuration, with privsep disabled).

OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not
exist in OpenBSD's releases of OpenSSH.

Changes since OpenSSH 3.7.1p1:
==============================

* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.

* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.

* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.

* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.

* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.

* Fix compilation on older OpenBSD systems.

* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.

Checksums:
==========

- MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94


Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.