SSH possible security hole
 

http://www.securityfocus.com/archive...3/2003-09-19/0

Since we can't really do anything until Apple releases an update, I recommend turning off SSH for computers you don't absolutely need it on.

Change that to:


Turn off ssh on all computers until Apple releases a patch.

My linux box here was cracked before I ever had a chance to see the advisory.

I hate reinstalling systems.

Breen

Yeah, right.
I keep my boxen reasonably locked down -- but when I read the alert I checked and had 20 more processes running than ps reported.
I've never seen that happen except on a rooted box. I pulled it and reinstalled.

Breen

Last time there was an OpenSSH vulnerability, I just downloaded the OpenBSD version and built it myself on all my OS X boxes. If you don't want to, you don't have to wait for Apple to release a patched version.

Could you please explain in more detail what you meant by the above? I.e. how did you know about those processes if 'ps' didn't show them?

What is SSH and how do i disable it?

SSH = Secure Shell
It's to connect to remote machines and get a shell. Like telnet except every packet is encrypted, so passwords, usernames, data aren't sent in cleartext.
There are other uses and aspects of it as well.
If you don't have "Remote Login" checked in the Sharing Preference Pane, then the SSH daemon is not currently running on your machine.

What were your configure settings/patches to get a successful build?

Judging by the CERT description, being rooted is the lesser of worries/possibilities:and
Given the nature of the vulnerability, you're more likely to be DoSed than r00ted.

The first time it was quite easy, just a download and the default build. This time, there are header and library inconsistencies, something Apple has done? So, for the moment, I will rely on my firewall to stave off any denial of service attacks through OpenSSH until I can get it built later today.

Sure, glad to.
This is a linux box, recall. Linux uses the /proc filesystem to give userland a look at the kernel memory structures. In particluar there's a directory under /proc for each current process, named by the process number.

So I compared the output of

ls -d /proc/[0-9]* |wc -l

and

ps auxw |wc -l

The output of the two commands should be very close (there's usually a difference of one). On my box yesterday the first showed ~20 more processes than the second. The conculsion is that the box has been rooted and somebody's installed a rootkit version of 'ps'.

Breen

you could always compile your own sshd

version OpenSSH_3.7p1, is the one to go for.

I had troubles building it due to incompatibilities between OpenSSH libraries and headers. I don't know if this is something that I broke when building OpenSSH myself last time there was a major SSH problem or if it's something that Apple busted.

I tell you one thing, I find it VERY odd that Apple hasn't even acknowledged this vulnerability yet on their security list, perhaps they are having some troubles building a replacement?

same here.

Nearly a week.. no update, no report on Security Announce, not a peep. Odd.

Yeah, this is really frustrating. I run a computer lab and really need to deploy new images for the computers, but they need to have SSH running for me to admin them effectively.

firewall
 

Aren't all of your computers (the lab ones and the ones you use to administer them) behind a firewall? If so, just make sure that the firewall doesn't allow SSH to pass through and then you don't need to worry about outsiders being able to take advantage of the SSH hole.

If you are worried about insiders, you could enable the firewall on each of the lab machines and add a rule to only allow ssh from the IP address of your admin machine.

I just built openssh 3.7p1 using fink. Do I need to do anything to get the system to use the new sshd (in /sw/sbin)? It looks like if I run a 'which sshd' it points to the fink installed path. All copacetic?

Edit - Thinking about this, the system would have no knowledge of the /sw paths at startup, since they're in my login script, and the sshd daemon launches before I log in. In which config file should a body point to this stuff at startup?

I don't think so. All the binaries would have to be moved to replace the existing, flawed ones. If you do "ssh -V" in the terminal, it will probably return "OpenSSH_3.4p1". I don't know if you can move the new binaries to replace all the old binaries and all dependancies will be satisfied. I leave that for someone more binary-build-technically-capable then I.

examine /System/Library/StartupItems/SSH/SSH


my approach would be to disable /usr/sbin/sshd a la:

$ sudo mv /usr/sbin/sshd{,.disabled}

and then migrate fink's sshd to /usr/sbin/sshd

i think

Re: firewall
 

The campus network is quite large, so all the firewalls are on the border of the networks, and really provide minimal protection.

My workstation is supplied an IP via DHCP, so the IP may change while the image has an old IP. Actually my main problem is that the images need to be deployed with SSH enabled, so I don't have to go through all the computers afterwards and update and enable SSH once a patch is released.

Thanks for the suggestions though.

Contacting our apple rep and the response is that it is being worked on.

Re: Re: firewall
 

But that IP will still be in a domain range that is manageable. While it doesn't make you secure, it makes you more secure to set up IPFW locally to only allow SSH from that domain, and not the whole world. Also, IPFW supports DNS, so you can add your DNS name which shouldn't ever change even if your IP does. Finally, since you're an IT manager, you should very easily be able to request and get a static IP.

I'm gutsy. :D

Will give this a try. The real fun begins after this, when I'd like to install the patched sshd on my 10.1 Server machine, which does not have fink installed.

Strange, my updated version only has version 3.6.1p1-4, and nothing in the unstable hierarchy.

3.7.1p1 was in the unstable tree when I updated earlier today.

So Merv's idea worked, with the following caveat: the fink-built version of sshd looks for keys in /sw/etc/ssh, instead of /etc. So I had to copy the keys (as root) from /etc to /sw/etc/ssh, and after that everything worked ok.

I expect a non-fink version should look in /etc, as normal.

ssh -V now shows: OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7a Feb 19 2003

10.2.8 does not update SSH
 

10.2.8 just came out...
Sadly, it doesn't look like the newer SSH made it into the release:

In fact 10.2.8 just overwrote my newly built 3.7.1P1 sshd with the old one. Fortunately it was easy enough to copy back, and still works.


Edit - I just read on slashdot that the 'OpenSSH_3.4p1+CAN-2003-0693' means that it is patched for the buffer overflow exploit. Can anyone confirm this?

From Apple's security email:

Thanks!

[grumble]
Why the heck haven't I gotten that email?
*scratch*
[/grumble]

Are you subscribed to the list?
http://lists.apple.com/mailman/listi...rity-announce/

Well duh, of course I am GP :)
I finally got it at 1:57 am EDT.

10/2 and still no fix. This is very unusual for Apple.