[rootshell] Security Bulletin #25

Tue Nov 3 22:41:41 UTC 1998

I just got this. MHSC is also on the SSH mailer-list. It looks as if ALL
accusations of SSH being exploitable are thinly founded at best.

>Date: Mon, 2 Nov 1998 11:45:53 +0200 (EET)
>From: Tatu Ylonen <ylo at ssh.fi>
>To: ssh at clinet.fi, info at rootshell.com
>Subject: Important information about IBM-ERS's "ssh" advisory (fwd)
>Message-ID: <Pine.OSF.4.05.9811021143180.19300-100000 at torni.ssh.fi>
>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>Sender: owner-ssh at clinet.fi
>Precedence: bulk
>X-UIDL: a3533f8bef2d09b2dd5c56b653ba57e1
>
>Please find enclosed a copy of a message from the IBM Emergency response
>team.
>
>    Tatu
>
>SSH Communications Security           http://www.ssh.fi/
>SSH IPSEC Toolkit                     http://www.ipsec.com/
>Free Unix SSH                         http://www.ssh.fi/sshprotocols2/
>
>---------- Forwarded message ----------
>Date: Mon, 02 Nov 1998 04:15:28 EST
>
>From: David A. Curry <davy at ers.ibm.com>
>To: bugtraq at netspace.org, first-info at first.org, first-teams at first.org,
>     ssh-bugs at cs.hut.fi
>Subject: Important information about IBM-ERS's "ssh" advisory
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on
>Monday, Nov. 2nd that described a buffer overflow condition in Version
>1.2.x "sshd."  This draft was sent to the Forum of Incident Response and
>Security Teams, and also to the "ssh-bugs" list for their comment/review.
>The draft was identified as ERS-SVA-E01-1998:005.1.
>
>Rootshell has unfortunately chosen to include a copy of this draft advisory
>in their recent newsletter, apparently for the purposes of defending itself
>against charges that it was unfairly disparaging "sshd."  Use of IBM-ERS's
>draft advisory in this manner was not approved or authorized by IBM-ERS,
>and does a disservice to all.
>
>Here are the facts about this advisory:
>
>1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by
>   IBM.
>
>2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS
>   attempted to contact Kit on Friday evening, and was unable to reach
>   him.  Specific contact information for IBM-ERS, as well as a brief
>   status update, were left on Mr. Knox's voice mail.  Mr. Knox never
>   contacted IBM-ERS after that time.
>
>3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make
>   sure that the potential vulnerability described in the advisory is not
>   exploitable.  Upon further investigation, the problem originally
>   described appears to have been influenced by outside factors and does
>   not appear to be an exploitable problem in "sshd."
>   
>4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning
>   of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter.
>
>5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities,
>   exploitable or otherwise, in the "sshd" program.
>
>We hope that this clarifies IBM's involvement in this situation.
>
>- ---------------------------------------------------------------------------
>
>The information in this document is provided as a service to customers of
>the IBM Emergency Response Service.  Neither International Business Machines
>Corporation, nor any of its employees, makes any warranty, express or
implied,
>or assumes any legal liability or responsibility for the accuracy, complete-
>ness, or usefulness of any information, apparatus, product, or process
>contained herein, or represents that its use would not infringe any privately
>owned rights.  Reference herein to any specific commercial products, process,

>or service by trade name, trademark, manufacturer, or otherwise, does not
>necessarily constitute or imply its endorsement, recommendation or favoring
>
>by IBM or its subsidiaries.  The views and opinions of authors expressed
>herein do not necessarily state or reflect those of IBM or its subsidiaries,
>and may not be used for advertising or product endorsement purposes.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.7.1
>
>iQCVAwUBNj12ufWDLGpfj4rlAQGbNAQAhxLTKJh8H0s9uS0KbUVO3IxjfAYrcSuf
>TTpwZjQ3qciBr+8+LVU/WIk4OLGX7WLl2ZLqisUzNkBra4k0xPd2vKbKp6Pfd+6o
>DlNwfiwpty1wzPD/7eiu4xclHt0emMpDC6QMkJldk4/lv7iQmPltpeXdGqRVYja8
>fXtGXZO90UM=
>=hlDX
>-----END PGP SIGNATURE-----

and then found this.

>To: runge at crl.com
>CC: ssh at clinet.fi
>Subject: Re: ssh 1.2.26 and root compromise
>References: <3.0.3.32.19981030195825.005a2a78 at mail.mpim-bonn.mpg.de>,
<slrn73psi8.h9i.bem at thorin.cmc.net>
<4n7%1.49$y_6.390462 at lwnws01.ne.mediaone.net>
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>Sender: owner-ssh at clinet.fi
>Precedence: bulk
>X-UIDL: 82af265d49d9ab5f1da6706787093894
>
>Karl J. Runge wrote:
>
>> Maybe. I see about 125 calls to log_msg() in the ssh 1.2.x source code.
>> Does anyone see one (or more?) calls that might be passing unprotected
>> strings? I assume the unlimited %s are the place to start...
>> [info: IBM's announcement points us to log_msg() as the source
>> of the buffer overrun, but does not say which one. See rootshell
>> statement which has the IBM announcement]
>> 
>> I doubt the logging of "log_msg" has to do with the use of the word
>> "log", but the IBM announcement is dated 10/30 ... (I just saw it today
>> for the first time).
>
>The IBM advisory was cancelled within 24 hours. The appearent buffer
>overflow IBM found was not reproducable on any other systems, and
>appearently was due to some local problem with the Linux installation on
>one particular machine. See
>
>http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:005.1
.txt,
>
>http://www.ssh/fi/sshprotocols2/rootshell.html and
>
>http://www.rootshell.com/
>
>Personally, I am very disappointed with rootshell's unprofessional
>handling of that incident. Their continuing stubborn insistance - in
>spite of all contrary evidence - that something other than their
>security policy must be at fault fatally resembles the worst exemples
>I've ever seen in corporate IT security. 
>
>Sevo 
>
>
>-- 
>Sevo Stille
>sevo at inm.de
>

___________________________________________________ 
Roeland M.J. Meyer, ISOC (InterNIC RM993) 
e-mail: <mailto:rmeyer at mhsc.com>rmeyer at mhsc.com
Internet phone: hawk.mhsc.com
Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
Company web-site: <http://www.mhsc.com/>www.mhsc.com/
___________________________________________ 
I bet the human brain is a kludge.
                -- Marvin Minsky