[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSH Security Advisory: buffer.adv
- To: misc@openbsd.org
- Subject: Re: OpenSSH Security Advisory: buffer.adv
- From: "Heather Guse" <hguse@dpntech.com>
- Date: Wed, 17 Sep 2003 12:31:08 +0000
- Content-Disposition: inline
I appologize if this gets duplicated, not sure it went out the first time!
Dries Schellekens (gwyllion@ace.ulyssis.org) wrote:
>
>On Wed, 17 Sep 2003, Dom De Vitto wrote:
>
>> /. are half-saying that an exploit is available (quoting a post that
>> says one exists, but isn't very credible as it's only from a single
>> source I don't know/trust/love).
>>
>> Has anyone heard different and seen the sploit in the wild?
>
>Some guy on deadly.org claims an exploit was made "public" on the CTF
>contest of Defcon.
>http://www.deadly.org/article.php3?sid=20030916200907
>
>Then latter someone claims that this bug is not exploitable indeed (as
>suggested by many experts), but that a second bug exists (and presumably
>was made "public" at Defcon), which is a remote root-level exploit.
>http://www.deadly.org/commentShow.php3?sid=20030916200907&pid=359
>
>So the claims about exploit in the wild are based on the alleged second
>bug and not on this one.
>
>Maybe this second bug is one of the 4 other realloc bugs Solar Designer
>found. I hope this will be fixed in OpenSSH soon.
>
I don't believe this information is accurate. During the contest I didn't hear of
any new finds with SSH. In fact the chosen platform used for the contestants this
year was openbsd. They were very pleased with its stability throughout CTF.
But if you want the real info contact the ghettohackers as they now run CTF for Defcon.
>
>Anyway, good luck people patching sendmail and perhaps openssh again in a
>short while ;-)
>
>
>Cheers,
>
>Dries
>
>
--
Heather (Guse) Bryan
hbryan@dpntech.com
DPN, Inc.
952-746-5316
866-571-2172
emergency# 612-804-8015