Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSSH Local Root Hole

michael posted more than 12 years ago | from the say-it-ain't-so dept.

Bug 554

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

cancel ×

554 comments

Sorry! There are no comments related to the filter you selected.

fp? (-1, Offtopic)

n3r0.m4dski11z (447312) | more than 12 years ago | (#3124800)

props to nothing

first! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3124804)

for many good reasons

WAIT A FREAKIN' MINUTE (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3124807)

I thought that open source software was always perfectly secure?

YOU PACK OF LIARS!!

There goes OpenBSDs slogan... (1, Funny)

psychofox (92356) | more than 12 years ago | (#3124809)

I take it that their slogan "Four years without a remote hole in the default install!" will not being changed to "Five years without a remote hole in the default install!" then?

Shame...

Re:There goes OpenBSDs slogan... (3, Informative)

TheConfusedOne (442158) | more than 12 years ago | (#3124828)

Ummm, RTFP!

It's a LOCAL exploit. You have to be logged in to exploit it.

Re:There goes OpenBSDs slogan... (4, Funny)

Chundra (189402) | more than 12 years ago | (#3124876)

Ummmm, RTFP!

They aren't ruling out the possibility of a remote exploit.

Re:There goes OpenBSDs slogan... (0)

SweetAndSourJesus (555410) | more than 12 years ago | (#3124990)

Therefore you should not rule in the possibility that it's remote.

Re:There goes OpenBSDs slogan... (0, Redundant)

Anonymous Coward | more than 12 years ago | (#3124830)

Perhaps I should point out this is not a *remote* hole, yet. That is what *local* exploit means.

Re:There goes OpenBSDs slogan... (-1)

neal n bob (531011) | more than 12 years ago | (#3125007)

there are lots of locally exploited holes here at slashdot - j0n katz has his hole exploited every day.

Re:There goes OpenBSDs slogan... (0, Redundant)

Anonymous Coward | more than 12 years ago | (#3124836)

Read->Comprehend->Post

This is (so far) a local hole.

Re:There goes OpenBSDs slogan... (2, Interesting)

SonicBurst (546373) | more than 12 years ago | (#3124837)

Actually, they may have to backdate that slogan. The problem has existed since version 2.0, so this hole would have existed since whenever they started shipping with at least version 2.0. And by the way, it is local exploit as of yet, however, remote exploitation has not been ruled out.

Re:There goes OpenBSDs slogan... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3124838)

Take a look at the latest addition to the O'Reilly [ilbbs.com] catalog.

Is ssh enabled by default? (0)

Anonymous Coward | more than 12 years ago | (#3124849)

Been too long since I did an install. If ssh isn't enabled in the default install, then the claim still stands.

Re:Is ssh enabled by default? (-1)

Genghis Troll (158585) | more than 12 years ago | (#3124897)

If ssh isn't enabled by default, then their claim doesn't mean shit. Even Katz could put together a distro that runs no services and is thereby "secure".

Maybe... (0)

Anonymous Coward | more than 12 years ago | (#3124921)

but that doesn't change the truth of the statement.

Re:There goes OpenBSDs slogan... (0, Troll)

prog-guru (129751) | more than 12 years ago | (#3124856)

Maybe that will teach them not to install sshd in the base system.

Same goes for telnetd, named, sendmail, etc.

Re:There goes OpenBSDs slogan... (2, Informative)

Gabey (18874) | more than 12 years ago | (#3124953)

You must be a troll, but for the benefit of others, OpenBSD doesn't install telnetd, named, or sendmail by default.

Re:There goes OpenBSDs slogan... (0)

Anonymous Coward | more than 12 years ago | (#3124982)

I'm afraid it does install them.

It does not run them by default.

Heaps of difference.

And BTW, this can make sense, like,
telnet+KerberosV is probably not insecure, just a bit hard to configure.

Re:There goes OpenBSDs slogan... (0)

Anonymous Coward | more than 12 years ago | (#3125036)

They are installed. Telnetd and named are not turned on and sendmail is turned on in a localhost only configuration.

Sorry!

Re:There goes OpenBSDs slogan... (0)

Anonymous Coward | more than 12 years ago | (#3124900)

it's OpenSSH not OpenBSD

Re:There goes OpenBSDs slogan... (0)

Anonymous Coward | more than 12 years ago | (#3124993)

thats good, because i heard... that BSD is dying!!!

retard (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3125003)

fdggf

Re:There goes OpenBSDs slogan... (0)

Anonymous Coward | more than 12 years ago | (#3125024)

Hopefully this is only locally exploitable...

OpenBSD certainly hasn't been nor is it free of local exploits.

Root Hole Found in USA! (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124810)

Suitcase nuke search intensifies: The FBI and other authorities have launched new investigations on al Qaeda's possible acquisition of portable nuclear devices from Russian stockpiles. Since 2000, the FBI has learned of 100 small nuclear devices missing from Russian inventories. The bombs are disguised as suitcases and can be detonated with less than 30 minutes of preparation.

In January 2001, US Customs agents in Miami uncovered a plot to smuggle mini-nukes and other weapons of mass destruction into the US.

More Proof (3, Interesting)

SquierStrat (42516) | more than 12 years ago | (#3124818)

This is just more proof that nothing is 100% secure. :-) How does that saying go, if it can be devise it what? Some want to finish that for me?

Regardless of that though, I get on my knees and thank God everyday for SSH. It's saved me many many many hassles from simply forgetting to turn it off on computers on my home's network.

Re:More Proof (2, Interesting)

Anonymous Coward | more than 12 years ago | (#3124847)

Does it bother anyone else that the last THREE releases of OpenSSH were because of discovered holes? Not very encouraging from a group of induhviduals who like to pride themselves (and very loudly at that) on security.

Re:More Proof (4, Insightful)

SquierStrat (42516) | more than 12 years ago | (#3124879)

I'm sure it's more than the last three. Really, how many new features does SSH need? Bugs in an application of this type that is as mature as SSH tend to be security related. It actually makes me feel better that they're quickly responding to security bugs and doing new releases because of it.

Full disclosure = annoying. (0, Flamebait)

Vincepb (39681) | more than 12 years ago | (#3124820)

Yay!
Now we get another bunch of worms scanning the whole net for vulnerable boxes so they can make DDoS nets!
Thank god for full disclosure!

*gags*

Vince.

Re:Full disclosure = annoying. (0, Redundant)

bill0r (195811) | more than 12 years ago | (#3124852)

Come on, spell with me, L-O-C-A-L

Re:Full disclosure = annoying. (1)

Vincepb (39681) | more than 12 years ago | (#3124912)

Please read the articles before posting.
A remote exploit has not been ruled out.
Chances are, one will be available shortly to the general public and script kiddie scenes.

Vince.

Re:Full disclosure = annoying. (0)

Anonymous Coward | more than 12 years ago | (#3124949)

sung to the mickey mouse tune:

L O C
A L L
Y ex ploit a bleee

Re:Full disclosure = annoying. (4, Insightful)

SquierStrat (42516) | more than 12 years ago | (#3124855)

Script kiddiesprobably has known about this for a while. Full diclosure is not only a way to get the word out so that it can be quickly patched (which apparently it already is) but also a way to kind of force people into an upgrade. That way no one with an old version of ssh is sitting there being unknowingly used for DDOS attacks because they didn't know he needed to upgrade.

Full disclosure has its downsides,but the upsides pretty much cancel them out.

Re:Full disclosure = annoying. (0, Troll)

Vincepb (39681) | more than 12 years ago | (#3124890)

Full disclosure is where the script kiddies get their tools.
Now this is public knowledge, an exploit will be available within hours.

There is a difference between the people who discover vulnerabilities and those who browse security-focus for them.

This should have been fixed before it was announced, and a period of time waited for people to upgrade.

There isn't even a fixed version available for multiple platforms yet, ffs.

Vince.

Re:Full disclosure = annoying. (2)

SquierStrat (42516) | more than 12 years ago | (#3124927)

I'm going to disagree. Script kiddies don't look at security focus, they go looking for things to exploit the vulnerabilities written by well skills hackers/crackers. If they waiting any amount of time to upgrade, the only people who would have upgraded would have been people like me who download and install the latest version of EVERYTHING just because they can. The people with the bandwidth that need to upgrade wouldn't do it, because they can't afford the service outage. With full disclosure they'll be more or less forced into upgrading. I'm sure the multi-platform release will be done in a few hours also.

Re:Full disclosure = annoying. (1)

Vincepb (39681) | more than 12 years ago | (#3124973)

Script kiddies are the scavengers who feed off of other peoples code.
A great place to get this code is secfocus.

As for what you say about bandwidth being relative to upgrades... Well. Explain the previous worms and DDoS nets? Not everyone gives a fuck. Not everyone will be bothered to upgrade. Some people don't even know how...

Vince.

Re:Full disclosure = annoying. (3, Informative)

gehirntot (133829) | more than 12 years ago | (#3124967)

Full disclosure is where the script kiddies get their tools.
Now this is public knowledge, an exploit will be available within hours.

You do not know what you are talking about. Full disclosure has greatly improved security awareness and turn around time for fixes. If you want to turn your back on full disclosure, you are heading back into the middle-ages of computer security.

This should have been fixed before it was announced, and a period of time waited for people to upgrade.
The information was leaked by someone who jumped the gun. That is the reason why the relase and advisory happened today instead of Monday. Nothing to be done about it. Instead of bitching, fix a bug in your operating system and send a patch to the developers. Much more useful behaviour for all of us.

Of course, you should be running with ln -s AJ /etc/malloc.conf anyway. It will fill freed memory with junk, and quite often finds conditions where memory is referenced after it has been freed. In that case, there is no problem anyway. If your operating system of choice has not support for malloc debugging, looby your developers, it is a very useful feature.

Re:Full disclosure = annoying. (1, Troll)

Vincepb (39681) | more than 12 years ago | (#3125020)

Please take a look at http://anti.security.is when you have some spare time.

In particular:

Q: What's wrong with full disclosure?
A: Full disclosure attempts to contradict the saying "two wrongs don't make a right" in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example: An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn't end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure!

Vince.

Re:Full disclosure = annoying. (5, Funny)

Sarin (112173) | more than 12 years ago | (#3124909)

Nah they don't.;) But I'm working on exploit code as we speak.

Re:Full disclosure = annoying. (1)

Vincepb (39681) | more than 12 years ago | (#3124934)

Please don't post to bugsmaq when you're done. =p
We really don't need more smart-enough-to-be-dangerous script kiddies armed with other peoples code causing more mayhem.

Vince.

Re:Full disclosure = annoying. (0)

Anonymous Coward | more than 12 years ago | (#3124862)

This isn't flaimbait. I do wish moderators would atleast BORROW a clue before they spend their mod points.

The original poster pointed out a result of this (soon to be remote, no doubt) SSH vulnerability.

Go smoke a cock.

Re:Full disclosure = annoying. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3124964)

flaim? wtf is a flaim? Oh you meant like "flaimbate". Nevermind.

I don't think so. (1, Insightful)

Penguinoflight (517245) | more than 12 years ago | (#3124863)

Most worms scan for nt and ISS. I get like 100 a week trying to load NT files, and I'm running Apache on Linux. The hacker world would rather beat more simple targets like Windows than go for something complicated like SSH on Linux.

Re:I don't think so. (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3124988)

Fuck baby Jesus in his widdle mouth.

Re:I don't think so. (1)

SupremeChalupa (547765) | more than 12 years ago | (#3125005)

It's attiitudes like this that lead to lax security. Admins who assume _their_ systems are safe because of their obscure/complex/godlike admin/open source/etc. status are just asking for it. Why do you think IIS is so vulnerable? Because admins think they don't need to worry about it. Don't lump yourself in with this crowd, it's a bad thing.

linux patch available (1, Informative)

Asgard (60200) | more than 12 years ago | (#3124821)

So when does 3.1p (portable -- for other OS's) become available?

Re:linux patch available (4, Informative)

MrDingDong (192786) | more than 12 years ago | (#3124859)

Its out there - at least on ftp.openssh.com. I built and installed 3.1p1 a couple of hours ago on Linux.

Re:linux patch available (0)

Anonymous Coward | more than 12 years ago | (#3124899)

Yes, it's out there, but the packaged SRPM is relatively useless for anyone in a server environment. It has a number of dependencies on X and gnome crap that is unlikely to be installed on non-desktop machines.

I suppose I can do things the old fashioned way with the tarball, but was hoping for an easy way out. 8-)

Re:linux patch available (3, Informative)

Asgard (60200) | more than 12 years ago | (#3124898)

Looks like it is already availble in tarball and RH72 RPM format.

secure? (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3124822)

What, open source secure?

I submitted this earlier and it was rejected (-1, Offtopic)

Squeezer (132342) | more than 12 years ago | (#3124826)

What gives? :(

Here are your recent submissions to Slashdot, and their status within the system:

* 2001-11-30 18:32:16 Humorous link that would make a good quickie artic (articles,humor) (rejected)
* 2002-01-03 17:14:58 What do you do when your ISP disconnects you for a (askslashdot,censorship) (rejected)
* 2002-01-18 17:46:45 Arictle on the U.S. Census Bureau using MySQL (articles,news) (rejected)
* 2002-03-07 14:22:41 New OpenSSH vulnerability discovered (articles,news) (rejected)

Re:I submitted this earlier and it was rejected (0)

Anonymous Coward | more than 12 years ago | (#3124833)

Sheesh, dude, get a life. The one that was posted probably came in earlier (or had better details).

Re:I submitted this earlier and it was rejected (0)

SouthSideMike (228172) | more than 12 years ago | (#3124851)

Who cares, it's not like you get paid for every submission that gets accepted.

Re:I submitted this earlier and it was rejected (0)

Anonymous Coward | more than 12 years ago | (#3124870)

i never submit because i can't stand the pain of rejection.

Re:I submitted this earlier and it was rejected (-1)

Genghis Troll (158585) | more than 12 years ago | (#3124985)

That's too bad, Squeezer. Me, your Ma, and all the boys back home were really pulling for you on this one. Keep the chin up, son; the big city can be a cold, hard, place, but there's a whole lotta people back here in Kansas that love you and know you'll do us proud.

Commercial SSH (3, Insightful)

Stavr0 (35032) | more than 12 years ago | (#3124840)

Does the same issue exist in Commercial SSH? The advisory makes no mention of it.

I assume it wouldn't be as it's on a different code base, then again 'assume means making an ASS out of U and ME'

Re:Commercial SSH (3, Insightful)

jonnythan (79727) | more than 12 years ago | (#3125054)

If you look at the patch, it's an error in the for loop.. a > instead of a >=.

If the same error existed in Commercial SSH, someone stole some code.

Anti-Security? (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124844)

They've been exploiting this hole for months now, looks like someone got sloppy and leaked the exploit.

Bad Bad Bad.

Good job i use Microsoft products (-1, Troll)

Anon0mous (549084) | more than 12 years ago | (#3124857)

with all this open source software just being given away, who knows what other backdoors and security holes we may see in the future at least i have Microsoft products to depend on

Re:Good job i use Microsoft products (0)

Anonymous Coward | more than 12 years ago | (#3124960)

Yep, the only back door you will ever need to worry about is the one Bill Gates is plugging you through.

I'd Rather... (-1)

DonkeyHote (521235) | more than 12 years ago | (#3125027)

Take it up the ass by Bill Gates then by the legions of rabidly homosexual hippies who keep telling me the ass-reaming is free.

remote hack? (1)

oo7tushar (311912) | more than 12 years ago | (#3124865)

not to people, the debian packages have not yet been updated so your best bet is to download (like a real penguin) and install yourself (but only if you want to be a penguin, they dress well)

Correction: off-by-one (5, Informative)

MarkusQ (450076) | more than 12 years ago | (#3124874)

Seems as though its a one-off error

One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.

Off-by-one error: An error in enumeration, such as starting or ending a count at the wrong value (e.g. 0 vs. 1), counting the starting/ending value in a cycle twice or not at all (e.g. in counting a group of people which includes yourself), counting delimiters as opposed to the items delimited (e.g. the "fence post" problem), or any analogous error.

These are rather different! When I read the abstract my first thought was "how can they determine that?"

-- MarkusQ

Correction: One Plus One (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124884)

= Calculus.

Re:Correction: off-by-one (1)

mcelrath (8027) | more than 12 years ago | (#3124928)

One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.
Shouldn't that be one-of? As in: "we only created one of them".

-- Bob

Re:Correction: off-by-one (1)

ThatComputerGuy (123712) | more than 12 years ago | (#3125015)

But "what we created is a one-off."

CERT Advisory (4, Funny)

milesbparty (527555) | more than 12 years ago | (#3124880)

Systems Affected

IBM AIX versions 4.3 and 5.1
Hewlett-Packard's HP-UX
SCO OpenServer 5.0.6 and earlier
SGI IRIX 3.x
Sun Solaris 8 and earlier

I. DESCRIPTION

Several implementations of direct serial connect console may have a serious security hole. In more than several cases, a guy (SA) sitting on a folding chair in a data center, directly logged in to the system via serial connection and dumb terminal, was hit over the head with a stick by another guy. The second guy was then able to gain access to the system by forcefully taking away the dumb terminal from the guy that was hit over the head, and use his login to do bad stuff on the system.

II. IMPACT

The guy that was hit over the head with the stick suffered a bump on the head, and bad stuff was done on the system.

III. SOLUTION

We recommend disabling ALL systems in your data center. Issue the following command on Solaris: init 5, then turn it off by toggling the on/off switch. This method will prevent any attack outside your network, from within your network, and by god, from within your data center. The is the best known method of stopping ALL security holes, including the "stick on the head" issue. As vendors report new information to the CERT/CC, we will update this section.



http://www.paulandangelle.com/cert_advisory.html [paulandangelle.com]

FIGHT KARMA WHORING, DONT MOD PARENT (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124904)

I found a local whole in MyAnus and it can be exploited by finding an unoccupied peice of sidewalk and rubbing back and forth, it will then cause MyAnus to become raw and bleed. this is a serious issue and should be patched immediatly!

SGI IRIX 3.x? (3, Funny)

Anonymous Coward | more than 12 years ago | (#3124914)

Oh NO! I hope no one hacks my mighty Personal IRIS workstation! In the wrong hands, its power would be terrible...

Re:CERT Advisory (1)

Luke Marsden (313446) | more than 12 years ago | (#3124952)

And this is fucking modded as Informative..?

Hehe..

G'won, someone mod it as Funny.

Just Goes to Show-Ya (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124966)

If they bothered to READ the fucking posts before they blindly modded them this kinda irresposible shit wouldn't be happening

And a fond FUCK-YOU to the slashbot janitorial staff

OpenSSH site already updated? (4, Informative)

Noryungi (70322) | more than 12 years ago | (#3124882)


Here is what can be found on their web site:

"OpenSSH 3.1 released March 7, 2002."

Hmmm... That was quick! Especially since the advisory reads:

Pine Internet Security Advisory

Advisory ID : PINE-CERT-20020301
Authors : Joost Pol
Issue date : 2002-03-07
Application : OpenSSH
Version(s) : All versions between 2.0 and 3.0.2


Pretty good job.

Re:OpenSSH site already updated? (2, Informative)

leviramsey (248057) | more than 12 years ago | (#3125022)

The vulnerability was sent to the OpenSSH team a few days ago. It was not publicized until a fix was in CVS.

smallest possible patch (4, Informative)

bill_mcgonigle (4333) | more than 12 years ago | (#3124885)

For you guys too lazy to read:
http://www.pine.nl/advisories/pine-cert-20020301.t xt [www.pine.nl]
( I was going to post the patch here, it's really small, but apparently slashcode doesn't know what the blockquote tag is for, despite claiming it's supported)

But this isn't just an attempt at karma whoring, there is a point. When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that Microsoft secured their software over the last month?

OpenSSH 3.1 (1)

AlbanySux (248858) | more than 12 years ago | (#3124886)

It was released today according to the OpenSSH website.go and pound the mirror sites [openssh.com]

I can't wait for djbssh (5, Funny)

Russ Nelson (33911) | more than 12 years ago | (#3124892)

I can't wait for the Daniel J. Bernstein version of ssh.
-russ

Re:I can't wait for djbssh (5, Funny)

Anonymous Coward | more than 12 years ago | (#3124999)

you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

Re:I can't wait for djbssh (4, Funny)

biot (12537) | more than 12 years ago | (#3125030)

It would be incompatible with the rest of the world's ssh implementations, of course, but I guess he'd write a DJB-RFC to take care of that.

nsSSH (1)

pinkUZI (515787) | more than 12 years ago | (#3124893)

The not so Secure Shell.

Yay! (1, Funny)

Anonymous Coward | more than 12 years ago | (#3124911)

2002-03-07 11:39:40 Server version: SSH-2.0-OpenSSH_3.0.2p1

Good night everybody!

and people wonder why its free ? (0)

Anon0mous (549084) | more than 12 years ago | (#3124925)


...cos no one would pay for it ?

this is a bummer.......... (0)

Anonymous Coward | more than 12 years ago | (#3124930)

i run ssh to keep the telnet hackers out.....

they NEED to have a working username/pw and since i only have 4 users, it no biggy.

but beware. wait wait, here come MS bashers.

Please stop writing network apps in C! (5, Interesting)

Tom7 (102298) | more than 12 years ago | (#3124957)

This kind of bug would NOT BE EXPLOITABLE if sshd was written in a modern safe language.

If the canonical secure software from the canonical secure software people has bugs like this, I don't see how anyone can argue that it's possible to write secure code in C. C makes it easy to make this kind of bug, and the bugs are often exploitable.

Check out my previous post and ensuing discussion on this http://slashdot.org/comments.pl?sid=24271&cid=2629 013 [slashdot.org] for more info. Synopsis: There are some reasons to use C for a project, but none apply to network daemons. As a proof of concept, I rewrote FTPD in my favorite modern language; the source went from 24,000 lines to 3000 (including support code, like PAM_MD5 password encryption), took me only a weekend to write, and is 100% buffer overflow / format string / heap corruption free.

I'm trying to raise awareness about this because I think it's a real obstacle to us having secure software.

Re:Please stop writing network apps in C! (0)

Anonymous Coward | more than 12 years ago | (#3124987)

> is 100% buffer overflow / format string / heap corruption free

How can you proove that ? Everybody can claim his code is problems/free...

Nothing says Network App like Ruby's and Perl's (-1)

DonkeyHote (521235) | more than 12 years ago | (#3124994)

Diamonds are whores best friend!

Re:Please stop writing network apps in C! (0)

climer (94555) | more than 12 years ago | (#3125001)

I cry BS. Your previous post claimed that performance was not a reason and yet I don't believe you. Wake up and stop acting as the HW vendors lobbyist.

Re:Please stop writing network apps in C! (5, Insightful)

MartinG (52587) | more than 12 years ago | (#3125033)

How did it cope with 18,000 simultaneous connections? Did you use mmap(), sendfile() and friends on linux to get the best performance possible? How did the xfer rates compare?

BTW, 24,000 lines is a hell of a lot. If you want to compare like for like, have a look at vsftpd by Chris Evans. It's written entirely in c. Have a read of the source - it's quite interesting how it has been done. I would be surprised if you could find a buffer overflow.

I actually do agree with your points mostly, but I would say "Don't use c for network apps unless you have a good reason to" and also "don't use c for network apps unless you _really_ know the hazards"

In some ways SSH is a special case anyway. It has all the intensive maths stuff to do for the session key generation etc. Not a good idea to code that in (eg.) perl imo.

BTW, out of interest, what is your "favorite modern language" ??

Re:Please stop writing network apps in C! (5, Insightful)

coyul (119455) | more than 12 years ago | (#3125051)

Did you even look at the patch?

--- channels_old.c Mon Mar 4 02:07:06 2002
+++ channels.c Mon Mar 4 02:07:16 2002
@@ -151,7 +151,7 @@
channel_lookup(int id)
{
Channel *c;
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}

You want to explain to me how any "modern safe language" is going to stop me from saying 'greater-than', when I really mean 'greater-than-or-equal-to'?

Workaround? (1, Interesting)

Anonymous Coward | more than 12 years ago | (#3124959)

Anyone know of a quick workaround? I got several boxes I can't totally disable ssh out of and now I have to shut them down if I can't fix it and get a whole bunch of disgruntled users...

OpenSSH (1, Interesting)

Matrix12 (242932) | more than 12 years ago | (#3124961)

Take a good look at the source sometime, it's a total hack. I have to admit, it is very full featured and supports as much of the IETF draft as any implementation out there.

You get what you pay for I suppose ;-)

What are package people supposed to do? (3, Interesting)

Sludge (1234) | more than 12 years ago | (#3124976)

I use Debian Potato. These kinds of exploits are documented before packages appear for my servers. In fact, I don't think there's an update available for the PHP remove vulnerability [php.net] documented on February the 28th, yet.

What am I supposed to do? Break the package dependancies on the five machines I administrate and recompile new software? Or, is Debian going to support this old, clunky distro (there is no stable replacement quite yet).

Re:What are package people supposed to do? (1)

jjmcwill (3739) | more than 12 years ago | (#3125029)

I think that

This [debian.org]
(http://www.debian.org/security/2002/dsa-115) addresses the PHP issue. Somebody correct me if I'm wrong.

Jeff

Re:What are package people supposed to do? (-1)

DonkeyHote (521235) | more than 12 years ago | (#3125052)

I Know: Drop the Zero and Get with the Hero

Switch to MS, NT2K is your friend, IIS is SECURE and
Exchange Server is a work of Art.

Where to get OpenSSH 3.1: (1)

Evro (18923) | more than 12 years ago | (#3124996)

Looks like the mirrors don't have it yet.

ftp to ftp.openssh.com.

Look in "/pub/OpenBSD/OpenSSH/portable/" for the portable version. I'm sure you can figure out how to get to the OpenBSD version.

Old News (1)

millwood (542462) | more than 12 years ago | (#3125013)

I figured it was old news, anyway. My mail server was compromised by this hole last month, and I ended up calling companies around the world that had boxen from which mine was hacked.

WU-FTPD Anyone? (0)

Anonymous Coward | more than 12 years ago | (#3125026)

I abandoned wu-ftpd long ago because I grew weary
of the "sploit of the week" routine. I abandoned
sendmail for the same reason way, way before that.
ISTM that OpenSSH is having to replaced with
disturbing regularity. It's getting a mite old.

OpenBSD upgrade. (4, Informative)

saintlupus (227599) | more than 12 years ago | (#3125035)

OpenSSH 3.1 was released this morning. The info and tarball for OpenBSD systems is available at:

http://www.openssh.com/openbsd.html

Mine's compiling now.

--saint

RPM's Compiled For i386 (2, Informative)

Mr_Perl (142164) | more than 12 years ago | (#3125038)

Help yourselves:

http://www.geniusweb.com/RPMS/ [geniusweb.com]

SSH 3.1p1 RPM's compiled without gnome-askpass, everything else is default vanilla.

FreeBSD affected; patches available (4, Informative)

Dom2 (838) | more than 12 years ago | (#3125043)

Unfortunately, I can't post the advisory here due to the lame lameness filter. But here are the patches:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/S A- 02:13/openssh.patch
ftp://ftp.FreeBSD.org/pub/Fre eBSD/CERT/patches/SA- 02:13/openssh.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

If you've got the ssh port installed, check out the advisory for details on what to do:

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0 +c urrent/freebsd-announce

Does this affect non-suid root clients? (2)

Dast (10275) | more than 12 years ago | (#3125048)

I don't see any mention of non-suid clients in the advisory? Does any fellow /.er know if such clients are vulnerable to escalation of privileges?

This oughtta teach you open-source folks a lesson! (0, Troll)

fobbman (131816) | more than 12 years ago | (#3125057)

If you'd just keep your source closed like the smart folks at Microsoft then these sorts of bugs would never be found.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>