[8375] in bugtraq
Re: SSH Communications page on rootshell.com
daemon@ATHENA.MIT.EDU (Mitch Vincent)
Tue Nov 3 17:58:49 1998
Date: Wed, 4 Nov 1998 15:33:48 -0500
Reply-To: Mitch Vincent <root@cygone.com>
From: Mitch Vincent <root@CYGONE.COM>
To: BUGTRAQ@NETSPACE.ORG
Ok Ok
Which is it people?
You have 3 security organizations saying
"The IBM analysis shows however that either the Linux operating system or
GCC compiler may have a problem which manifests itself as a bug in Secure
Shell. In any case, this is not a bug in Secure Shell itself. The results
with Linux are also preliminary as IBM was not able to do the exploit with
clean builds of Linux either. "
At the same time saying there aren't exploitable vulnerabilities with SSHD,
if there is a problem as described above that "manifests" itself in Secure
Shell then it IS a problem with Secure Shell, no matter how indirect. I
understand the authors of Secure Shell want to save face by not admitting
there is a potential problem and I understand rootshell's embarrassment of
being hacked. *BUT* We all need an answer to this question:
"Is it possible to gain unauthorized root access to a machine using SSH?"
I'm tired of "patch kits" being released to software that the author says
isn't vulnerable and all these IBM-Cert-Whatever memo's going around if
there is no problem. Stop with the run around people, just give everyone a
straight answer.
(This is not a rant to bugtraq or anyone specifically, just in general about
the entire issue)
Thanks!
-----Original Message-----
From: morex .- <morex@MOREX.NET>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Tuesday, November 03, 1998 4:17 PM
Subject: SSH Communications page on rootshell.com
>Hello ,
>
>For the paranoid people out there that think sshd is insecure you guys
>might want to check out
>http://www.ssh.fi/sshprotocols2/rootshell.html
>
>Happy halloween
>
>later
>morex .-
>morex@nirvana.net
>
