Warning: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD 4.x

Remote root exploit for FreeBSD 4.9 and 4.11

Yes, I know these versions have been end-of-life for a few years.

But I see quite some posts from people that are still running these ancient versions. Perhaps this is the incentive to finally upgrade them.

The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.

The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".

A working Remote Exploit which spawns a root shell remotely and
previous to authentication was developed.

The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".
Click to expand...

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20110630/fcd34bf6/attachment.obj

Needless to say, this bug won't be fixed.

http://www.freebsd.org/security/#sup
 
So install a more recent version of OpenSSH then.

And yes, 4.X is still alive and well on many machines.
 
You must log in or register to reply here.
Back
Top