SSH Exploit

[lsvtec]

Probably a Oh well.

From:
http://slashdot.org/article.pl?sid=03/09/1...172&threshold=1

Full-Disclosure] new ssh exploit?
christopher neitzert chris@neitzert.com
Mon, 15 Sep 2003 13:48:34 -0400

More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running
the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts various
offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or direct
-off-list-reply confirming this exploit;

The suggestions I have heard are:

Turn off SSH and

1. upgrade to lsh
2. add explicit rules to your edge devices allowing ssh from only-known hos
ts.
3. put ssh behind a VPN on RFC-1918 space.

 

[phunky.buddha]

Interesting. Thanks for the info.

 

[MaaseyRacer]

shit man I run Debian... Time to look into lsh...

 

[B16]

hmm, our ftp server uses ssh, guess i better restrict it to just my host :\

 

[posol]

all versions of these?

 

[dohcvtec_accord]

:nods and pretends to know what the geeks are talking about:

 

[rudeludenotmeanthough]

whats going on?

 

[dohcvtec_accord]

Originally posted by rudeludenotmeanthough@Sep 17 2003, 03:00 PM
whats going on?

Shhhh. They're having a secret geek meeting.

:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

 

[posol]

t3h l337 |0/\7<43$

 

[phunky.buddha]

Originally posted by dohcvtec_accord@Sep 17 2003, 05:06 PM
:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

Pretty talented if you're backstabbing with a magic sword.

 

[lsvtec]

Originally posted by Calesta+Sep 17 2003, 04:09 PM-->

dohcvtec_accord

@Sep 17 2003, 05:06 PM
:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

Pretty talented if you're backstabbing with a magic sword.

ushes glasses up:
At least in 2nd ed, there was no rule against backstabbing with a magical sword.

all versions of these?

As I understand it only Red Hat, Debian, Free BSD, and Gentoo are vunerable, and only if they are running any version of OpenSSH. I could be wrong, but that is the way I understand it.

 

[phunky.buddha]

Originally posted by lsvtec+Sep 17 2003, 05:18 PM-->

Originally posted by Calesta@Sep 17 2003, 04:09 PM
dohcvtec_accord

@Sep 17 2003, 05:06 PM
:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

Pretty talented if you're backstabbing with a magic sword.

ushes glasses up:
At least in 2nd ed, there was no rule against backstabbing with a magical sword.

No, but it IS more difficult. Penalty to your rolls sir Knight, or assassin as that may be.

 

[lsvtec]

Originally posted by Calesta+Sep 17 2003, 04:26 PM-->

Originally posted by lsvtec@Sep 17 2003, 05:18 PM

Originally posted by Calesta@Sep 17 2003, 04:09 PM
dohcvtec_accord

@Sep 17 2003, 05:06 PM
:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

Pretty talented if you're backstabbing with a magic sword.

ushes glasses up:
At least in 2nd ed, there was no rule against backstabbing with a magical sword.

No, but it IS more difficult. Penalty to your rolls sir Knight, or assassin as that may be.

Dammit, Scott still has my Players and DM's Guide. I don't think that was the case in 2nd ed, WOC may have added it to 3rd ed but I quit wasting money on the books by that point.


Aaahhhh, half the fun of gaming right here, arguing about the rules.

 

[phunky.buddha]

Well, I'm pretty sure it is. I haven't played in over a decade, but my housemate does- I'll ask him. He's got most of the books around here anyway. I just don't care to search through them.

Geek.

 

[dohcvtec_accord]

AD&D 2nd Ed > AD&D 3rd Ed

 

[dohcvtec_accord]

Oh, and backstabbing with a magical sword is perfectly acceptable.

MMMM-GLAVIN!!!!

 

[BodyDroppedNikes]

<--lost

 

[Slo86GT]

Originally posted by Calesta+Sep 17 2003, 05:26 PM-->

Originally posted by lsvtec@Sep 17 2003, 05:18 PM

Originally posted by Calesta@Sep 17 2003, 04:09 PM
dohcvtec_accord

@Sep 17 2003, 05:06 PM
:lies in wait, Hiding in Shadows with his +5 Vorpal Sword waiting to Backstab the nearest geek:

Pretty talented if you're backstabbing with a magic sword.

ushes glasses up:
At least in 2nd ed, there was no rule against backstabbing with a magical sword.

No, but it IS more difficult. Penalty to your rolls sir Knight, or assassin as that may be.

I once pulled off a successful backstab with a boiling kettle... Did 14 hit damage and 3 splash damage to an ogre.

 

[posol]

damn, i must not be leet after all. i have no idea what you guys are tlaking about

 

[Havok]

Old school Dungeons and Dragons, y0!