Date: Fri, 6 Nov 1998 18:39:34 +0000 From: Crispin Cowan <crispin@CSE.OGI.EDU> Subject: Re: SSHD Exploit To: BUGTRAQ@NETSPACE.ORG Aleph One wrote: > This one was a fake folks. Little kids having their fun. Apologies for > approving it. It was a long day. > > All persons that have examined the ssh code so far have found it to be > secure (so far). If you require a safety net to sleep well at night while > running sshd I recommend you recompile it with the StackGuard compiler > (if you are running on a x86 or want to port it). > > http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ To reduce duplication of effort, we have pre-built StackGuard-protected SSH binaries and packaged them as RPMs (thanks go to Ryan Finnin Day). The RPM's are available from our web server here: * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.i386.rpm * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-1.2.26-1usSG.src.rpm * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-clients-1.2.26-1usSG.i386.rpm * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-extras-1.2.26-1usSG.i386.rpm * http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/RPMS/ssh-server-1.2.26-1usSG.i386.rpm I can not actually warrent that these binaries resist the alleged SSH attack, because I've never seen the attack. If anyone thinks they actually have an exploit for SSH, please either try it against these packages, or send me the exploit and I'll test it. Caveat: I'm not supposed to export these powerful weapons :-( If you're outside the US, please don't take them from my server. If you do, it's on your own recognicance. If someone outside the US could please use the freely exportable StackGuard compiler ( http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/compiler.html ) to re-build the international version of SSH and serve that from outside the US, I'd appreciate it. Thanks, Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98