openSSH off-by-one patch (was RE: [TriLUG] SSH Probing...)

Lisa Lorenzin lorenzin at 1000plus.com
Wed Mar 13 10:49:37 EST 2002 

> I have already had an ssh attack on one of my servers.  What are you
> using to spot this? How can I prevent ssh attacks besides turning off
> protocol 1 and disallowing root logon for ssh.

that's a good start.  definitely upgrade to the latest available version
of SSH.  tcpwrappers are a great idea if you know the specific hosts you
want to allow to connect...

if you have openSSH, might want to be aware of this one, too.  note that
this is different from the url jeff sent out - it's not been identified as
remotely exploitable (yet), and it only affects openSSH, but all versions
of openSSH prior to 3.1 are affected.

From: 	<support at securiteam.com>
To:	<list at securiteam.com>
Date: 	03/07/2002 11:34:05
Subject: 	[UNIX] OpenSSH Off-By-One Vulnerability

The following security advisory is sent to the securiteam mailing list, 
and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  OpenSSH Off-By-One Vulnerability
------------------------------------------------------------------------

SUMMARY

A security bug in OpenSSH that can be exploited locally by an 
authenticated user logging into a vulnerable OpenSSH server or by a 
malicious SSH server attacking a vulnerable OpenSSH client allows them to 
create a buffer overflow attack.

DETAILS

Systems affected:
All versions of OpenSSH between 2.0 and 3.0.2 contain an off-by-one error 
in the channel code.

Immune systems:
OpenSSH 3.1 and later are not affected.

Solution:
Upgrade to OpenSSH 3.1 or apply the following patch.

Patch:
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c	27 Feb 2002 21:23:13 -0000	1.170
+++ channels.c	4 Mar 2002 19:37:58 -0000	1.171
@@ -146,7 +146,7 @@
 {
 	Channel *c;
 
-	if (id < 0 || id > channels_alloc) {
+	if (id < 0 || id >= channels_alloc) {
 		log("channel_lookup: %d: bad id", id);
 		return NULL;
 	}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:joost at pine.nl> Joost Pol.


======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and 
body to: list-unsubscribe at securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe at securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of 
any kind. 
In no event shall we be liable for any damages whatsoever including 
direct, indirect, incidental, consequential, loss of business profits or 
special damages. 


-- 
lisa lorenzin  |  lorenzin at 1000plus.com  |  http://www.1000plus.com/lisa/
of what avail is an open eye if the heart is blind? - solomon ibn gavirol

More information about the TriLUG mailing list