Re: the openssh exploit

To: David B Harris <eelf@sympatico.ca>
Cc: debian-security@lists.debian.org
Subject: Re: the openssh exploit
From: Paul Baker <pbaker@where2getit.com>
Date: Mon, 24 Jun 2002 23:39:04 -0500
Message-id: <[🔎] 7A9C777C-87F5-11D6-8A0B-0003937562B8@where2getit.com>
In-reply-to: <[🔎] 20020625002030.1d5d9b57.eelf@sympatico.ca>


On Monday, June 24, 2002, at 11:20 PM, David B Harris wrote:


We have no way of being sure, since the nature of the exploit and the
specifics aren't being told.

However, supposedly, you need to be able to talk to the sshd in order to
exploit it. So if nothing (or nothing malicious) can open a connection,
you're fine.

Does the tcp_wrapper use in openssh work that way? It's not like ssh isrunning from inetd first being passed through tcpd. I'm just using thebuiltin tcpwrapper support of openssh, so I would guess that that meanstechnically, sshd is handling the request long enough to at least seewhat ip it is coming from. May be time to modify my firewall rules.argh! Of course maybe that won't even help. Of course we don't knowbecause openbsd is keeping a tight lip, but potentially maybe someonecould craft a malicious packet that appears to come from one of thetrusted ips??


--
Paul Baker

"They that can give up essential liberty to obtain a little temporarysafety deserve neither liberty nor safety."

         -- Benjamin Franklin, 1759

GPG Key: http://homepage.mac.com/pauljbaker/public.asc


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: the openssh exploit
  - From: David B Harris <eelf@sympatico.ca>
- Re: the openssh exploit
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: the openssh exploit
  - From: David B Harris <eelf@sympatico.ca>

Prev by Date: Re: the openssh exploit
Next by Date: Re: the openssh exploit
Previous by thread: Re: the openssh exploit
Next by thread: Re: the openssh exploit
Index(es):
- Date
- Thread