Re: Revised OpenSSH Security Advisory

[Paul de Weerd <paul@mail.me.maar.nu>]

On Mon, Jul 01, 2002 at 06:30:24PM +0200, Markus Friedl wrote:
| This is the 4th revision of the Advisory.

[What ever happened to the 3rd revision ? I must have missed that one]

| 	l. We have not heard of a single machine which was broken into as
| 	   a result of our release announcement method.

I just _heard_ a single machine being broken into ;)

I was just watching some TV (gotta love Blackadder reruns ;) when I
heard my fileservers (linux box, OpenSSH 3.3 w/ privsep) disks rattle.
This was not just the sound of another misc-mail arriving, some heavy
duty diskactivity was going on ;)

I sat down at my workstation and noticed a friend of mine had logged
in. He was making something relating to SSH so I talked him, hoping to
find out what he was doing. "Hacking my ultrasecure box" came the
answer. That must have been my OpenBSD box (at which this particular
friend has a root account) or my NetBSD machine (which is a 386, dont
think anyone would seriously attempt breaking in to that one ;)

And indeed he showed me a rootprompt on my OpenBSD 3.0 machine
(which used to be my cable-modem NAT box and IPv6 tunnel endpoint,
providing my network with IPv6 connectivity - I just cancelled my
subscription to that network so the box was not connected to the
'net. I may be lazy - I'm not stoopid ;).

So ... for all you guys running OpenSSH without privsep or 3.4,
*upgrade now* .. If *I* got a 'sploit, then every other sk and their
grandma has it.

BTW; there's some fun reading in the code/comments. A couple of stabs
at Theo even the most toughened Australians could learn from ;)

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/