RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Jonathan A. Zdziarski (jonathan.zdziarskiat_private)
Date: Mon Jul 23 2001 - 10:12:07 PDT

Next message: David Howe: "Re: IBM TFTP Server for Java vulnerability"

Previous message: Daniel Wittenberg: "permission probs with Arkeia"
In reply to: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Next in thread: Roman Drahtmueller: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Both 2.3.0 and 2.4.0 don't appear to be vulnerable on my system (Intel
Solaris 8).  3.0.0 *was* vulnerable, however, and I was able to easily
exploit the system.

-----Original Message-----
From: Jaime BENJUMEA [mailto:benjumeaat_private]
Sent: Saturday, July 21, 2001 12:27 PM
To: Stephanie Thomas
Cc: bugtraqat_private
Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0



Stephanie Thomas wrote:

>
> A potential remote root exploit has been discovered
> in SSH Secure Shell 3.0.0, for Unix only, concerning
> accounts with password fields consisting of two or
> fewer characters. Unauthorized users could potentially
> log in to these accounts using any password, including
> an empty password.  This affects SSH Secure Shell 3.0.0
> for Unix only.  This is a problem with password

Does anybody know if previous versions (2.4) are also affected?

Next message: David Howe: "Re: IBM TFTP Server for Java vulnerability"
Previous message: Daniel Wittenberg: "permission probs with Arkeia"
In reply to: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Next in thread: Roman Drahtmueller: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 12:37:50 PDT