×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New ssh Exploit in the Wild

CmdrTaco posted more than 10 years ago | from the brace-for-impact dept.

Security 754

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

754 comments

Uh oh (5, Funny)

Anonymous Coward | more than 10 years ago | (#6975461)

Best patch and upgr..&*[NO CARRIER]

Re:Uh oh (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6975499)

The penis: mightier than the sword!

Crazy slashbot (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#6975531)

The lengths some people will goto to try and damage Theo's pride.

An openSSH root hole that jeopardizes almost all network equipment and unix servers out there, and this exists merely to "damage Theo's pride"? that is insanity of the first order - or are the MS flaws merely out there to damage Gates' pride? Or are they an example of shoddy code?

Re:Crazy slashbot (0)

Anonymous Coward | more than 10 years ago | (#6975729)

Microsoft holes demonstrate the inferiority of closed-source commercial software.

Open source software holes demonstrate the ability of the community to provide superior service by patching holes quicker than Microsoft does.

Now do you understand?

Offshoring: I Finally Did It (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6975668)

Well, after getting turned down for an interview for a job that was posted here in Rochester (to be performed here and in California), I found out the company is outsourcing it to India...

This was the kick in the pants I needed to finally call up Senator Clinton's office (+1 (716) 854-9725) in Buffalo and ask what the fuck they were thinking when they invited Tata to set up shop in Buffalo in March (http://www.tata.com/tcs/releases/20030310.htm [tata.com])...

What a chilling experience. The guy that answered is the director of the Buffalo office, Jim Kane. I thought he'd just spew some platitudes and hustle me off the phone, instead he came out swinging. I'm guessing he thought I was a shill from some opposing political party, 'cause his stance softened somewhat (but not much) when he found out I have voted mostly Democrat in the past and that I really am an unemployed software engineer...

I couldn't get a straight answer as to why Senator Clinton actively sought out an Indian offshoring services firm in to New York State instead of working with one or more domestically owned and run ones in Western New York.

In the past, I've thought the "beholden to the corporate interests" stories we've seen in the news have been a little overwrought--I'm reconsidering my opinion in light of my conversation with Jim Kane.

Among the more fantastic comments Jim made:

  • There are University of Buffalo graduates making $100K in Binghamton working for defense contractors.
  • Tata Consultancy Services is a bigger company than General Motors. I could not get him to state whether this is as a measure of revenues or in terms of headcount.
  • TCS is creating IT jobs in Buffalo, not outsourcing them back to back to India.
BTW, if anyone is looking for a job, you may have to pay your own airfare to India for the interview, but here are some leads: http://www.tata.com/0_careers/vacancies/index.htm [tata.com]

deceit (1, Interesting)

Tirel (692085) | more than 10 years ago | (#6975464)

Only one remote hole in the default install, in more than 7 years! [openbsd.org]

Oops!

Given that the default install has ssh turned on, will they change it to "two remote holes" ?

How much do you want to bet they'll just sweep it under the carpet and hope people forget? If you follow misc@ carefully you have probably seen it done before. Lets make some noise and force Theo to finally update that!

Re:deceit (1)

Basje (26968) | more than 10 years ago | (#6975616)

It doesn't say in the last x years. But I do agree with you that it's misleading.

Re:deceit (1, Interesting)

The Ogre (21899) | more than 10 years ago | (#6975646)

Given that this bug appears to be *unexploitable* in OpenBSD, no, I suspect they will *not* change that claim. The hole is only an issue if you you're running OpenSSH on a slightly less secure OS, apparently. Huh, whooda thunk it?

like suffering of thers? (Re:deceit) (0)

Anonymous Coward | more than 10 years ago | (#6975734)

Do you take pleasure in others' suffering?

OpenBSD has one of the best track records out there. Seems to be that they're held to a different standard than other OSes/distributions (which in a way can be considered a compliment).

Yes, Theo is a bit over the top at times, but you have to admit he does a certain right to, given OpenBSD's track record.

GNAA FR0STS AGAIN! fuck TACO, fuck fagboikneel! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6975465)

JesuitX fr0sts again!

GNAA Announces acquisition of SCO GNAA Announces acquisition of SCO
By Tim Copperfield
New York, NY - GNAA (Gay Nigger Association of America) today announced acquisition of The SCO Group [yahoo.com] for $26.9 million in stock and $40 million in gay niggers.

GNAA today announced it has signed a definitive agreement to acquire the intellectual property and technology assets of The SCO Group, a leading provider of Fear, Uncertainty and Doubt, based in Lindon, Utah. GNAA's acquisition of SCO technology will help GNAA sign up more members worldwide. In addition to developing new solutions, GNAA will use SCO engineering expertise and technology to enhance the GNAA member services.

"I'd love to see these GNAA types slowly consumed by millions of swarming microbes and converted into harmless and useful biochemicals." said an anonymous slashdot poster, blinded by the GNAA success in achieving first post on a popular geek news website, slashdot.org [slashdot.org].

"This GNAA shit is getting out of hand. Slashdot needs troll filters. Or better yet a crap flood mod that I can exclude from my browsing. Seriously, a good troll is art, what you dumb fucks are doing is just plain stupid." said spacecowboy420.

macewan, on linuxquestions [linuxquestions.org] said "Thanks for that link to the SCO quotes page. My guess is that they want to be bought out. Hrm, think they want GNAA to buy them??"

After careful consideration and debate, GNAA board of directors agreed to purchase 6,426,600 preferred shares and 113,102 common shares (the equivalent of 150,803 ADSs) of SCO, for an aggregate consideration of approximately US$26.9 million and approximately $40 million for gay niggers that were working in Lindon, Utah offices of The SCO Group.

If all goes well, the final decision is to be expected shortly, followed by transfer of most SCO niggers from their Lindon, UT offices to the GNAA Headquarters in New York.

About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org]?
Are you a NIGGER [mugshots.org]?
Are you a GAY NIGGER [gay-sex-access.com]?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org], a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org].

About SCO
The SCO Group [SCOX [yahoo.com]] helps millions of gay niggers in more than 82 countries around the world grow their penises everyday. Headquartered in Lindon, Utah, SCO has a network of more than 11,000 nigger resellers and 8,000 developers. SCO Global Services provides reliable nigger support and services to prospective members and customers.
SCO and the associated SCO logo are trademarks or registered trademarks of The SCO Group, Inc. in the U.S. and other countries. UNIX and UnixWare are registered trademarks of The Open Group in the United States and other countries. All other brand or product names are or may be trademarks of their respective owners.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. These statements are based on management's current expectations and are subject to uncertainty and changes in circumstances. Actual results may vary materially from the expectations contained herein. The forward-looking statements contained herein include statements about the consummation of the transaction with SCO and benefits of the pending transaction with SCO. Factors that could cause actual results to differ materially from those described herein include the inability to obtain regulatory approvals and the inability to successfully integrate the SCO business. GNAA is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements, whether as a result of new information, future events or otherwise.


If you have mod points and would like to support GNAA, please moderate this post up.

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Hooray! (1, Funny)

TheQuantumShift (175338) | more than 10 years ago | (#6975466)

New manifestations of Job Security for us techs!

Re:Hooray! (0)

Anonymous Coward | more than 10 years ago | (#6975733)

Gee, you're just like the MCSEs who have had job security for years by the same method. I guess Linux has reached the big time.

See this comment for BSD patch and info (4, Informative)

setzman (541053) | more than 10 years ago | (#6975470)

Re:See this comment for BSD patch and info (4, Informative)

ChiefArcher (1753) | more than 10 years ago | (#6975718)

I just made RH9/8/7.3 RPMS
since RH hasn't released any yet...
it's backported from the 9.0 update ssh SRPM.

my bandwidth is VERY limited... so AIM ME at "Swell500" and i'll send ya a link to grab them until RH releases official patches.

ChiefArcher

uh... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6975475)

sshit

interesting comment on how to stop it... (1, Informative)

garcia (6573) | more than 10 years ago | (#6975482)

"upgrade" to GNU lsh or block SSH from everyone except known hosts (the VPN option does basically the same thing).

Re:interesting comment on how to stop it... (3, Informative)

jsprat (442568) | more than 10 years ago | (#6975567)

Before anyone "upgrades" to lsh, here's the README:
This directory contains snapshots of lsh development. lsh is a free
implementation of the ssh protocol.

lsh is far from finished; don't expect these snapshots to compile or
work, and even if they appear to work, beware that lsh currently does
*NOT* provide any security at all.

Questions. (5, Interesting)

grub (11606) | more than 10 years ago | (#6975484)


I have to wonder if UsePrivilegeSeparation was enabled. (see the manpage [openbsd.org])

One message in the thread indicates it is but this isn't first-hand knowledge. If PrivSep was enabled then is OpenBSD immune to this attack due to other parts of the OS being hardened (much like the zlib hole a few months back)? Also are these default installations or are they "tweaked"? As an aside, PermitRootLogin defaults to enabled, something I always disable as I have no need for it.

Even if this does count as a new remote hole in OpenBSD, it's still a phenomenal track record they can be proud of.

Re:Questions. (2, Informative)

Tirel (692085) | more than 10 years ago | (#6975593)

PermitRootLogin is enabled so you can login after a remote install, but the install guide [openbsd.org] tells you disabling it is one of the first thing you should do after you successfully boot and make a normal user account.

CRAP! (3, Informative)

code shady (637051) | more than 10 years ago | (#6975494)

Looks like its time to turn the port forwarding on my router off, and wait for apple to provide a patch.
The advisory itself says The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH. So i'm going to assume that OS X is affected as well.

Re:CRAP! (1, Insightful)

Anonymous Coward | more than 10 years ago | (#6975516)

Well, one post says

"The attack makes an enormous amount of ssh connections and attempts various offsets until it finds one that works permitting root login."

So even if the root hole cannot be exploited with priv. sep, you still have to worry about all those SSH connections eating up your resources.

Re:CRAP! (2, Informative)

loginx (586174) | more than 10 years ago | (#6975625)

But the flood is not the SSH bug itself, the fact that you can flood a box running SSH is not a design flaw of SSH in any way.
You can flood any service and eat resources... no matter what service is running.
I think if you can just configure SSH or port-sentry to simply allow 3 attempts from the same IP address or even network block, it's not a fix but a good workaround as it will definitely help you secure your ssh-based system.

Re:CRAP! (1, Insightful)

Anonymous Coward | more than 10 years ago | (#6975657)

Yes of course, but the point is that floods of SSH connections are going to be more likely due to people attempting to exploit this bug. Even if you're not vulnerable, they'll still try to exploit it.

Re:CRAP! (1)

loginx (586174) | more than 10 years ago | (#6975681)

I agree with you on that one.
However, there's not much that can be done except set up decent firewall rules.

Public Service (5, Funny)

Morologous (201459) | more than 10 years ago | (#6975500)

Posting this to slashdot is actually a public service, as the exploit description will be /.'d and unable to effectively be disseminated to the bad actors.

Full Disclosure (4, Informative)

Anonymous Coward | more than 10 years ago | (#6975505)

[Full-Disclosure] new ssh exploit?
christopher neitzert chris@neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh
2. add explicit rules to your edge devices allowing ssh from only-known
hosts.
3. put ssh behind a VPN on RFC-1918 space.

On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
> Does anyone know of or have source related to a new, and unpublished ssh
> exploit? An ISP I work with has filtered all SSH connections due to
> several root level incidents involving ssh. Any information is
> appreciated.

very early (1, Flamebait)

ceswiedler (165311) | more than 10 years ago | (#6975510)

At this point basically no one (publically) seems to know what the exploit is. If you want to find out about exploits THIS early, then you should be reading those mailing lists yourself. I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

What's the next article going to be: "Linus Torvalds is in the MIDDLE OF A SENTENCE describing the future for 2.6! In four seconds, we'll finish hearing what he has to say!"

Re:very early (-1)

Anonymous Coward | more than 10 years ago | (#6975548)

So you're complaining that "News for Nerds" is reporting news?

Re:very early (2, Informative)

Qzukk (229616) | more than 10 years ago | (#6975587)

There is a patch, but the server that the advisory referenced on the SANS posting is on went down hard while I was in the middle of getting the page, so I only managed to get part of it (thanks, slashdot!) The advisory also indicated that openSSH 3.7 isn't affected.

Re:very early (3, Insightful)

NaugaHunter (639364) | more than 10 years ago | (#6975602)

On the other hand, it's good to have the heads up if something might not be as secure as we think it is. This warning gives those who turn it on occasionally the knowledge they need to turn it off if not needed, and not just leave it on.

It also may give those who need it on something to watch for until a patch does come out.

Re:very early (2, Informative)

__past__ (542467) | more than 10 years ago | (#6975610)

Patches are already available, for example from the FreeBSD CVS web [freebsd.org]. Personally, I'd rather apply it now than waiting for a detailed analysis of the exploit...

Re:very early (4, Insightful)

Kaa (21510) | more than 10 years ago | (#6975621)

I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

Really?

How about hearing about it when you find your machines rooted?

Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

Re:very early (1)

FuzzyBad-Mofo (184327) | more than 10 years ago | (#6975635)

I don't agree, with this warning those of us running ssh services are informed about the vunerability. Better to have this knowledge and disable ssh than to get hacked and find out about it later..

But later than mainstream politics (1)

devphil (51341) | more than 10 years ago | (#6975639)


You're correct; this is often more noise than signal. But /. is simply following the major media in this respect. How many times have you seen a headline like, " To Announce ," where the body largely consists of a pre-announcement of the announcement?

Nothing confirmed so far... (3, Interesting)

ferratus (244145) | more than 10 years ago | (#6975513)

Reading the mailing list, it appears that there's nothing confirmed so far. Let's hope its just a false rumour.

There's only one guy that says it its ISP has blocked all incoming SSH connection due to "several root level incidents".

One guy did say that there was a bug somewhere and that a patch existed...No one knows what patch or where it is though.

Let's hope to publish this one quickly before there's any ral damage done.

w00t (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6975525)

w00t i just rooted a new box using this wonderful new exploit, oh wait, shit, its the fbi's, shit theres a black lexux out front, use the back door, shit here they come, gotta run.

Wrapping defense (3, Interesting)

secolactico (519805) | more than 10 years ago | (#6975529)

Won't having the sshd wrapped (/etc/hosts.allow, /etc/hosts.deny) help offset the damage somewhat?

Is ths a hoax? (2, Interesting)

diodesign (673700) | more than 10 years ago | (#6975534)

I just saw the comment [slashdot.org] in the nmap article and got worried. A friend online showed me this post [netsys.com]..

"I wonder if this is in any way related to an incident I heard about on efnet's #openbsd where someone at a european con (hack the planet?) mentioned that details of a new openssh exploit had been taped to the openbsd tent (on the outside) whilst all the openbsd ppl were inside, drunk? I suppose if there is any merit to that story (and I'd rank it as no more than heresay myself, but it does paint a good picture of college level kids :) and it was details of some new vulnerability for which there is an exploit then it has been around for a while...assuming,of course, it is the same "bug"."

I haven't seen anywhere else online go nuts, which is usually how people react to SSH exploits. What's going on?

Re:Is ths a hoax? (1)

diodesign (673700) | more than 10 years ago | (#6975720)

I hate to reply to my own comment but it is misleading, I'm sorry. It most definiately doesn't look like a hoax. Debian already have a patch out - excellent work on their part.

This is why I refuse to use ssh. (1, Funny)

91degrees (207121) | more than 10 years ago | (#6975536)

I mean really - telnet is perfectly secure unless you use a direct connection. Use of a quantum tunnelling encryption layer and probabilistic key generation means you get the maturity of telnet with a greater level of security (I'm talking non-recursive factorial strenth here).

ssh is just for losers who can't set up teransparent network layering.

Re:This is why I refuse to use ssh. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6975633)

And you're a loser who can't spell "transparent" so go away. Fucktard.

Re:This is why I refuse to use ssh. (1)

91degrees (207121) | more than 10 years ago | (#6975655)

I said "teransparent". What the hell is "transparent network layering?"

install base (1, Insightful)

Anonymous Coward | more than 10 years ago | (#6975541)

If linux was installed on 98% of all machines in the world you can bet there would be a worm by now that would have taken advantage of this. Don't throw too many stones linux users.

Re:install base (-1)

Anonymous Coward | more than 10 years ago | (#6975677)

amen

Re:install base (1, Insightful)

Anonymous Coward | more than 10 years ago | (#6975761)

..and how many systems would have a SHH service running by default?

bugs?? (1, Funny)

maximum_high (412689) | more than 10 years ago | (#6975542)

Is it the same bug that requires me to type the full word "yes" or "no", and not shortcut keys 'y'/'n', when I want to connect to a remote server??

=)

Re:bugs?? (1, Funny)

Anonymous Coward | more than 10 years ago | (#6975568)

Apparently so. If you type r00t! instead then SSH will connect to the remote server and log you in as the root user, without a password! Its amazing no one has noticed this before.

Re:bugs?? (0)

Anonymous Coward | more than 10 years ago | (#6975687)

Is it the same bug that requires me to type the full word "yes" or "no", and not shortcut keys 'y'/'n', when I want to connect to a remote server??

Looks like you were hacked. Upgrade to telnet 1.0 and report to alt.2600.hackerz immediately. Wait for further instructions appearing on your screen.

Bits and pieces so far... (5, Informative)

Oestergaard (3005) | more than 10 years ago | (#6975550)

Yes, there is a vuln. in 3.6. You need to upgrade to 3.7 which was released today, to be safe (well, 'safer' anyway).

It will be 3.7p1 for us non-OpenBSD people.

It is a patch to one file, buffer.c, which fixes some allocation/offset stuff.

It seems that privilege separation does *not* help here - so get them systems patched (and firewalled)!

Update for debian (4, Informative)

Oestergaard (3005) | more than 10 years ago | (#6975640)

An updated ssh package just hit the Debian security mirrors.

For anyone running debian stable:
apt-get update
apt-get upgrade

Re:Update for debian (1)

chrysrobyn (106763) | more than 10 years ago | (#6975709)

An updated ssh package just hit the Debian security mirrors.

Can you share what version is fixed for the Debian folks? I did my apt-get update&&apt-get install ssh and came back with ssh 1:3.4p1-1, but I don't know how recent this is, or if I got a bad mirror or...

Suggestions for a newbie? (5, Interesting)

johnny1111_23 (705700) | more than 10 years ago | (#6975556)

Am pretty new to Linux, and am currently running a Lindows 4.0 installation my dad put on my computer.

How worried should I really be about this? And what steps should I be taking (or ask dad to take)? Since I gather Lindows is similar to Debian, should I just look for a Debian tutorial?

Thanks in advance.

Re:Suggestions for a newbie? (1, Informative)

Anonymous Coward | more than 10 years ago | (#6975627)

Lindows is similar in the fact it's based on Linux, but the security model is different (forcing all users to root priviliges). I wonder if sshd runs as root as well?

Re:Suggestions for a newbie? (1)

Ewan (5533) | more than 10 years ago | (#6975628)

I don't think lindows runs the ssh server by default, so I'd imagine you're fine.

Re:Suggestions for a newbie? (4, Informative)

Abcd1234 (188840) | more than 10 years ago | (#6975659)

Simple question: If it's Lindows, a) is it running sshd in the first place? And if so, b) *why* is it running sshd, since, in my estimation, an average Lindows user probably doesn't need sshd running. Of course, if you don't need sshd (since you don't access your box remotely), the obvious thing to do is kill and uninstall it (apt-get remove sshd), since it's just one more thing that could have a remote exploit in it.

Now, if you feel you need sshd, but can go without for a while, uninstall sshd in the short term and wait for an upgrade for your OS, at which point you can safely reinstall (it's a simple "apt-get install sshd").

Re:Suggestions for a newbie? (0, Funny)

Anonymous Coward | more than 10 years ago | (#6975683)

There is no reason to be running SSH daemon on a desktop machine, especially one where you are always root. open a console and type 'netstat -a | grep ssh', if it's running mail Lindows support and tell them they are morons from AC on \.

Re:Suggestions for a newbie? (1, Funny)

Anonymous Coward | more than 10 years ago | (#6975691)

I'm afraid it means that everything you've installed so far is corrupt, and all your efforts have been wasted. Quickly now, go to your nearest office supply store, get a copy of Windows XP and start over, before the damage spreads!

Re:Suggestions for a newbie? (1)

vadim_t (324782) | more than 10 years ago | (#6975714)

If you're running a SSH server, and can live without it for a while, you could just stop it.

As root, run: /etc/init.d/ssh stop

Then, when you get it patched: /etc/init.d/ssh start

Have in mind that usually it will be started automatically on boot.

This works for Debian, in other distributions it may be called 'sshd' instead. If you don't have that file then probably you aren't running a ssh server.

Re:Suggestions for a newbie? (1, Informative)

Anonymous Coward | more than 10 years ago | (#6975726)

As far as I know Lindows does not run any services by default. Hence sshd should not be running. To check type

ps -Af |grep sshd

and see if there is an entry for it. If so then turn it off (does Lindows have a GUI for configuring services?).

Re:Suggestions for a newbie? (0)

Anonymous Coward | more than 10 years ago | (#6975735)

If you don't have some kind of firewall between you and the Internet, here's an option [newegg.com] you should seriously consider (look for the DI-604). It's basic, quick and easy to install, and should provide you with some level of protection. At that point, you'll have bought yourself some time to learn a bit more about Linux and how to update your particular distribution to deal with the occasional security concern.

Re:Suggestions for a newbie? (2, Insightful)

Methiphisto (518724) | more than 10 years ago | (#6975753)

Are you behind a firewall? If you are using a device such as a nat dsl router that is blocking the ssh port inbound then you are pretty safe. As always, the best bet is to disable services that aren't absolutely necessary. So if you have no need to ssh in to the lindows machine you can disable sshd and have no worries at all about sshd exploits. As for Lindows, don't really know anything about it. Do they release patches? If so, and you really do need incoming ssh, then you might disable it until a patch becomes available. Just my 2c, hope it helps.

How long until... (-1, Funny)

Anonymous Coward | more than 10 years ago | (#6975564)

...the Slashdot trolls start screaming bloody murder about how Open Source has security holes just like MS? I give it 10 posts.

Re:How long until... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6975618)

Yep. Nine posts before you got yours in...

GOOD!! Red Hat, fix your RPMs!! (5, Insightful)

RedHat Rocky (94208) | more than 10 years ago | (#6975574)

Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred [redhat.com] with their last patch!

Deja Vu - June 2002 (1)

vasqzr (619165) | more than 10 years ago | (#6975576)


SSH brings down the house....again

I haven't noticed any scanning or anything going on here at work, but I'm disabling SSH for now...

IN SOVIET RUSSIA... (-1, Offtopic)

devphaeton (695736) | more than 10 years ago | (#6975588)

...Natalie Portman stands emaciated and covered with refried beans, and proclaims in a very non-chalant, beleaguered way...

"SSH is dying..."

I saw this exploit used (5, Funny)

teamhasnoi (554944) | more than 10 years ago | (#6975615)

I was at the local library, and some kids were on a computer, talking loudly. They seemed to be rather excited about something.

A librarian peeked around the corner to see where the noise was coming from, then put her finger to her lips and said, "Ssh!"

The kids ignored her and kept talking, completely and utterly exploiting the hole, and circumventing the 'Ssh'!

Never was I so frightened.

The lengths some people will goto.. (0)

Anonymous Coward | more than 10 years ago | (#6975630)

The lengths some people will goto...

You mean they're doing it in Basic?!!

quick fix for debian (1, Informative)

Anonymous Coward | more than 10 years ago | (#6975634)

% apt-get source ssh
% cd openssh-3.6.1p2 # this in unstable, might be a different version in testing/stable
% wget --user-agent="mozilla" -O - \
'http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/ openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h&f= u' | \
patch -p3
% fakeroot debian/rules binary
% cd ..

And you should have new packages ready to be installed..

Re:quick fix for debian (-1)

Anonymous Coward | more than 10 years ago | (#6975741)

Somehow I can't picture my Mom doing this. Luckily for Linux's security reputation, there aren't many Moms using the OS.

C and security... again (0, Insightful)

Anonymous Coward | more than 10 years ago | (#6975650)

Remind me why the most security critical part of ssh is written in C again... shouldn't a supposedly security conscious group be using a more suitable language?

Re:C and security... again (1)

twistedcubic (577194) | more than 10 years ago | (#6975738)

Actually, it's written in Java. However when people discuss the code, they translate it to C because most people can speak C. It's kinda like Latin, ya know.

troll (0)

dodell (83471) | more than 10 years ago | (#6975756)

How did this get modded up? What 'more suitable language'-based operating system do you use?

Debian patch available (4, Informative)

Stephen Williams (23750) | more than 10 years ago | (#6975670)

A patch for Debian stable is available already. If you're running Debian on a server and have ssh installed, "apt-get update; apt-get upgrade" should pick it up. The new package version is 1:3.4p1-1.1.

-Stephen

Oh come on Taco.... (1, Insightful)

greymond (539980) | more than 10 years ago | (#6975678)

"In the last few hours there have been several reports of a M$ bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Billy Gate's pride."

See how easy it is - that should be a -1 flamebait topic on your post.

Now that thats over with I belive (read: may be mistaken) but the latest version from www.openssh.com addresses that issue. But it could just be a similar issue and i'm reading it wrong. If I am enlighten me.

TAKE THAT, UNIX COMMUNISTS! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6975680)

Hole was discovered by reading the source - If SSH was closed-source this would not have happened! Now all those companies you communists suckered into buying into Open Sores are gonna get their asses handed to them in a platter, and us hardworking Americans in Redmond are going to laugh all the way to the bank.

---

OPEN SOURCE IS COMMUNIST AND UNAMERICAN!
PROTEST THE USE OF OPEN SOURCE IN YOUR GOVERNMENT
BEFORE IT'S TOO LATE!

Debian's already got the patch. (2, Informative)

cbiltcliffe (186293) | more than 10 years ago | (#6975692)

I'm installing it as we speak on all my Woody machines.

apt-get update
apt-get upgrade

tip (0)

Anonymous Coward | more than 10 years ago | (#6975693)

hi! if your not sure the box you are trying to root was patched, just use the new nmap version detection system! :P

facts from fiction: its not even clear if its... (0)

Anonymous Coward | more than 10 years ago | (#6975694)

... exploitable

http://lists.suse.com/archive/suse-security/2003-S ep/0127.html [suse.com]

get your things straighten out first, befor posting bullocks and fud out on such a huge site as slashdot, where all them morons dont think for themselves and are about to start a panic in the sight of a supposedly ssh exploit...

jeeezuz, the nerds and morons used to have way higher IQs in the past than today....

Well.. looks like someone goofed (1)

Dysan2k (126022) | more than 10 years ago | (#6975727)

'least it's already fixed in the newest version. Considering this is the first incident I've seen since SSHv1, that's saying something. If M$ were doing this well, I'd be using it with FAR less cussing.

Oh, the day we finally have a full, well-rounded DirectX-type lib for Linux/Mac/Win32 will be a great day indeed. Then I can totally blow 2k off my box and just be happy and stable. SDL is nice, but I've heard FAR too many poeple complain about it.

Well, let's get SSHd fixes out and move on.

This is dangerous, go upgrade. (2, Interesting)

andreas (1964) | more than 10 years ago | (#6975749)

I've look at the code, and can confirm that there is a heap overrun bug there. How to exploit it is a little unclear, but rumors are that an exploit exists. If you want to see for yourself, follow what happens in buffer_append_space(), when fatal() is called, and then packet_free() due to that.


Personally, I have upgraded all my systems to lsh [lysator.liu.se]. The code looks much more trustworthy, and I'm sick of upgrading every few months.

On suspiciois patch (1)

velco (521660) | more than 10 years ago | (#6975758)

Some people pointed at this

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto /o penssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h

though I cannot see how it can be a vulnerability.

~velco
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...