The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.
The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".
A working Remote Exploit which spawns a root shell remotely and
previous to authentication was developed.
The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".