Vulnerability in OpenSSH 2.0 - 3.0.2

Daniel Roethlisberger daniel at roe.ch
Thu Mar 7 10:52:26 PST 2002


In case you haven't seen this already:
Immediately upgrade all your OpenSSH installations.

Users with a local account can gain root priviledges.
Malicous servers can use this to attack vulnerable clients.

Advisory from openssh.org follows.

-snip-

OpenSSH Security Advisory (adv.channelalloc)

1. Systems affected:

        All versions of OpenSSH between 2.0 and 3.0.2 contain
        an off-by-one error in the channel code.

        OpenSSH 3.1 and later are not affected.

2. Impact:

        This bug can be exploited locally by an authenticated user
        logging into a vulnerable OpenSSH server or by a malicious
        SSH server attacking a vulnerable OpenSSH client.
        
3. Solution:

        Upgrade to OpenSSH 3.1 or apply the following patch.

4. Credits:

        This bug was discovered by Joost Pol <joost at pine.nl>


Appendix:

Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c  27 Feb 2002 21:23:13 -0000      1.170
+++ channels.c  4 Mar 2002 19:37:58 -0000       1.171
@@ -146,7 +146,7 @@
 {
        Channel *c;
 
-       if (id < 0 || id > channels_alloc) {
+       if (id < 0 || id >= channels_alloc) {
                log("channel_lookup: %d: bad id", id);
                return NULL;
        }

-snip-

Cheers,
Dan


-- 
   Daniel Roethlisberger <daniel at roe.ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list