Possible new openssh vulnerability

Kenny Mann Kennymann at cdrobot.com
Tue Sep 16 12:13:18 PDT 2003

For all interested, here is an informative email:

[Full-Disclosure] new ssh exploit?
christopher neitzert chris at neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

    * Previous message: [Full-Disclosure] new ssh exploit?
    * Next message: [Full-Disclosure] new ssh exploit?
    * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh.


2. add explicit rules to your edge devices allowing ssh from only-known


3. put ssh behind a VPN on RFC-1918 space.


>-----Original Message-----
>From: Dagmar d'Surreal [mailto:dagmar.wants at nospam.com] 
>Sent: Tuesday, September 16, 2003 1:32 PM
>To: LFS Security Discussion List
>Subject: Re: Possible new openssh vulnerability
>On Tue, 2003-09-16 at 12:32, Ken Moffat wrote:
>>  openssh-3.7p1 is out, and wadda you know, /. has rumours of an 
>> exploit to previous versions in the wild.  A quick look at the 
>> changelog doesn't show anything obvious.  According to lwn, 
>there are 
>> rumours of exploits, but no known exploit.  The /. link on 
>the exploit 
>> is of course suffering from being /.'ed.
>>  Summary: unclear if the problem is real, or affects other than open 
>> BSD.
>Considering that I was looking at a RedHat 9 machine that had 
>been compromised a few days ago and actually not being able to 
>figure out what was compromised to get in, it may well be more 
>than OpenBSD is vulnerable and Theo is just getting even for 
>the way his Chicken Little act was recieved the last time.
>The email address above is phony because the people making 
>archives of list traffic publicly available on the web aren't 
>taking measures to protect the email addresses from filthy spammers.  
>              AIM: evilDagmar  Jabber: evilDagmar at jabber.org
>FAQ: http://www.linuxfromscratch.org/faq/
>Unsubscribe: See the above information page

More information about the lfs-security mailing list