Re: SSHD Exploit

From: Crispin Cowan (crispinat_private)
Date: Fri Nov 06 1998 - 10:39:34 PST

Next message: Luis Saiz: "Which crypto algorithm? was: Communicator 4.5 stores EVERY"

Previous message: owner-bugtraqat_private: "various *lame* DoS attacks"
Maybe in reply to: Justin Foutts: "SSHD Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aleph One wrote:

> This one was a fake folks. Little kids having their fun. Apologies for
> approving it. It was a long day.
>
> All persons that have examined the ssh code so far have found it to be
> secure (so far). If you require a safety net to sleep well at night while
> running sshd I recommend you recompile it with the StackGuard compiler
> (if you are running on a x86 or want to port it).
>
> http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

To reduce duplication of effort, we have pre-built StackGuard-protected SSH
binaries and packaged them as RPMs (thanks go to Ryan Finnin Day).  The
RPM's are available from our web server here:

   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.src.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-clients-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-extras-1.2.26-1usSG.i386.rpm
   * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-server-1.2.26-1usSG.i386.rpm

I can not actually warrent that these binaries resist the alleged SSH
attack, because I've never seen the attack.  If anyone thinks they actually
have an exploit for SSH, please either try it against these packages, or
send me the exploit and I'll test it.

Caveat:  I'm not supposed to export these powerful weapons :-(  If you're
outside the US, please don't take them from my server.  If you do, it's on
your own recognicance.

If someone outside the US could please use the freely exportable StackGuard
compiler (
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/compiler.html ) to
re-build the international version of SSH and serve that from outside the
US, I'd appreciate it.

Thanks,
    Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98

Next message: Luis Saiz: "Which crypto algorithm? was: Communicator 4.5 stores EVERY"
Previous message: owner-bugtraqat_private: "various *lame* DoS attacks"
Maybe in reply to: Justin Foutts: "SSHD Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:19 PDT