[21778] in bugtraq
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Lucian Hudin)
Mon Jul 23 12:37:52 2001
Date: Mon, 23 Jul 2001 19:08:32 +0300 (EEST)
From: Lucian Hudin <luci@warp.transart.ro>
To: Thomas Roessler <roessler@does-not-exist.org>
Cc: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>,
<BUGTRAQ@securityfocus.com>, <customer.service@ssh.com>
In-Reply-To: <20010723174212.A2219@sobolev.does-not-exist.org>
Message-ID: <Pine.LNX.4.30.0107231907180.30119-100000@warp.transart.ro>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> >A quick glance at the source code suggests that SSH 2.3.0 and
> >2.4.0 have the same problem. Is this true?
>
> I suppose we are talking about this section of ssh 2.4.0's
> sshunixuser.c:
>
> 940
> 941 /* Authentication is accepted if the encrypted passwords are identical. */
> 942 #ifdef HAVE_HPUX_TCB_AUTH
> 943 return strncmp(encrypted_password, correct_passwd,
> 944 strlen(correct_passwd)) == 0;
> 945 #else /* HAVE_HPUX_TCB_AUTH */
> 946 return strcmp(encrypted_password, correct_passwd) == 0;
> 947 #endif /* HAVE_HPUX_TCB_AUTH */
>
> If I read this correctly, it's certainly not a problem unless ssh is
> compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or
the linux compile at least doesn't #define HAVE_HPUX_TCB_AUTH so
the sshd 2.4.0 is not vulnerable on linux.
Luci
