[TriLUG] OpenSSH vulnerability fear mongering

Mike Johnson mike at enoch.org
Tue Jun 25 13:51:51 EDT 2002 

Tanner Lovelace [lovelace at wayfarer.org] wrote:
 
> While this may actually be a problem, and I do agree that
> using privilege separation is generally a good idea.  Theo
> da Raadt's (the leader of OpenBSD) announcement just rubs
> me the wrong way.  It appears his announcement is aimed
> at whipping everyone into a frenzy to make the upgrade to
> the latest version.  In addition, he seems to be deliberately
> insulting various vendors in an effort to make them go
> the way *he* wants them to go.
> 
> Whether or not this supposed "vulnerability" turns out
> to be a big deal or not, I believe this is a perfect example of
> how not to conduct yourself.
> 
> Opinions?

Theo de Raadt is an asshole.  This is a known fact.  He has and whill
always conduct himself in this manner.  He's predictible in that way.

Frankly, though, I don't care.  So, he doesn't have a sunny personality.
The announcement -is- aimed at whipping everyone into a frenzy, with
good reason, I reckon.  I don't think he sent this announcement out
lightly.  You though Apache was installed on a lot of systems?

I'm pretty certain this is a big deal.  ISS (the same company who
screwed up the Apache vulnerability disclosure) found it and is actually
sitting on this one.  Also, without PrivSep, -any- pre-authentication
(and some post authentication) bugs spawn a -root- shell.  Not a nobody
shell, not a httpd shell, a shell that jumps up and says 'I 0wnz j00'.

I am resonably happy with the announcement ahead of time with a way to
work around before the details are posted.  I would imagine that a patch
has not yet been posted due to the fact that it would probably take
little effort to reverse engineer the patch (IE, figure out what it's
patching and why) and come up with an exploit.  This gives admins a bit
of a head start (a week should be good).  The damage potential (if it is
as bad as indicated) is -very- high (think CodeRed).

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020625/7970c4db/attachment.pgp>

More information about the TriLUG mailing list