[8444] in bugtraq

home help back first fref pref prev next nref lref last post

Re: SSHD Exploit

daemon@ATHENA.MIT.EDU (Crispin Cowan)
Fri Nov 6 14:47:50 1998

Date: 	Fri, 6 Nov 1998 18:39:34 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To:         Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG

Aleph One wrote:

> This one was a fake folks. Little kids having their fun. Apologies for
> approving it. It was a long day.
>
> All persons that have examined the ssh code so far have found it to be
> secure (so far). If you require a safety net to sleep well at night while
> running sshd I recommend you recompile it with the StackGuard compiler
> (if you are running on a x86 or want to port it).
>
> http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

To reduce duplication of effort, we have pre-built StackGuard-protected SSH
binaries and packaged them as RPMs (thanks go to Ryan Finnin Day).  The
RPM's are available from our web server here:

   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.src.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-clients-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-extras-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-server-1.2.26-1usSG.i386.rpm

I can not actually warrent that these binaries resist the alleged SSH
attack, because I've never seen the attack.  If anyone thinks they actually
have an exploit for SSH, please either try it against these packages, or
send me the exploit and I'll test it.

Caveat:  I'm not supposed to export these powerful weapons :-(  If you're
outside the US, please don't take them from my server.  If you do, it's on
your own recognicance.

If someone outside the US could please use the freely exportable StackGuard
compiler (
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/compiler.html ) to
re-build the international version of SSH and serve that from outside the
US, I'd appreciate it.

Thanks,
    Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98

home help back first fref pref prev next nref lref last post