[Linux-bruxelles] nouvel exploit SSH - important (remote root access expoit)

Mer 17 Sep 09:35:27 CEST 2003

Debian a sorti le patch :

http://www.debian.org/security/2003/dsa-382

-----Original Message-----
From: linux-bruxelles-admin at lists.bxlug.be
[mailto:linux-bruxelles-admin at lists.bxlug.be] On Behalf Of eric Hanuise
Sent: mardi 16 septembre 2003 19:58
To: linux-bruxelles at bxlug.be
Subject: [Linux-bruxelles] nouvel exploit SSH - important (remote root
access expoit)
Importance: High

en gros, en attendant les mises a jour etablissez une/des regles iptables 
(ipchains, whatever) pour limiter l'accès SSH a des IP connues.

http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html

[Full-Disclosure] new ssh exploit?

christopher neitzert <mailto:chris%40neitzert.com>chris at neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

    * Previous message: 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.htm
l>[Full-Disclosure] 
new ssh exploit?
    * Next message: 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.htm
l>[Full-Disclosure] 
new ssh exploit?
    * Messages sorted by: 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#
10116>[ 
date ] 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.htm
l#10116>[ 
thread ] 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.ht
ml#10116>[ 
subject ] 
<http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.htm
l#10116>[ 
author ]

----------

--=-sz+BJAPCz1yL37OtGOWm
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running
the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts various
offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh.

or

2. add explicit rules to your edge devices allowing ssh from only-known
hosts.

or

3. put ssh behind a VPN on RFC-1918 space.

thanks.

On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
 > Does anyone know of or have source related to a new, and unpublished ssh
> exploit?  An ISP I work with has filtered all SSH connections due to  >
several root level incidents involving ssh. Any information is  >
appreciated.  >=20  >=20 --=20 Christopher Neitzert - GPG Key ID: 7DCC491B

--=-sz+BJAPCz1yL37OtGOWm
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX
+fZt/6hiarcw2KVtQq1i0Nk=
=MaEF
-----END PGP SIGNATURE-----

--=-sz+BJAPCz1yL37OtGOWm--

----------------------------------------------------------------------
    Eric Hanuise - ehanuise at fantasybel dot net
                 "If it works, don't fix it"
----------------------------------------------------------------------
  ()  ascii ribbon campaign - against html mail
  /\         - against microsoft attachments

Why HTML in E-Mail is a Bad Ideahttp://www.birdhouse.org/etc/evilmail.html 

-- 
Linux-bruxelles mailing list
Linux-bruxelles at lists.bxlug.be
http://lists.bxlug.be/mailman/listinfo/linux-bruxelles