DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,246
Thanked 182 Times in 149 Posts
Default Season's gr3371ng5 - hacker releases exploits for MySQL and SSH

From http://h-online.com/-1761125

Quote:
On Advent Sunday, the infamous hacker who goes by the name of KingCope appears to have had a stock clearance and released a whole range of exploits, some of which date back to 2011. The exploits released on 2 December mostly target the now-Oracle-owned MySQL open source database, but the SSH servers by SSH Communications Security and FreeSSHd/FreeFTPd are also at acute risk.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 3rd December 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,886
Thanked 214 Times in 189 Posts
Default

From the article...
Quote:
The published holes in FreeSSHd's and the SSH protocol developers' SSH servers are nothing short of embarrassing. Apparently, both holes can be exploited to bypass the password check and log in with an arbitrary password. With SSH's Tectia server, the exploit description says that attackers can modify a legitimate user's password by calling input_userauth_passwd_changereq() before logging in. In case of the FreeSSHd/FreeFTPd server, all that appears to be required is to ignore a refusal message by the server and declare the session to be open at the right time. All the exploit has to do is add an extra call to the existing ssh_session2() function of the regular openssh client.
I am thankful the BSDs and most *nixes use OpenSSH servers.
Reply With Quote
  #3   (View Single Post)  
Old 3rd December 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 337
Thanked 9 Times in 9 Posts
Default

Quote:
all that appears to be required is to ignore a refusal message by the server and declare the session to be open at the right time.
Oh my God...
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
  #4   (View Single Post)  
Old 3rd December 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,088
Thanked 198 Times in 156 Posts
Default

Quote:
I am thankful the BSDs and most *nixes use OpenSSH servers.
I have never, ever, seen anything else being other than OpenSSH.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 3rd December 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,886
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
I have never, ever, seen anything else being other than OpenSSH.
I have. Some embedded systems -- in my case, that's several Android distributions -- have used or continue to use Dropbear for server and/or client.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo XSS exploits going for $700 J65nko News 1 28th November 2012 07:19 PM
Security Hacker Had Total Control Over DigiNotar Servers, Report J65nko News 0 1st November 2012 08:10 PM
Security 90% of popular SSL sites vulnerable to exploits, researchers find J65nko News 0 26th April 2012 10:24 PM
DigiNotar hacker says he stole huge GlobalSign cache J65nko News 1 8th September 2011 03:51 AM
DNS Security: Old Vulnerabilities, New Exploits with Cricket Liu crayoxide Off-Topic 8 23rd July 2008 08:09 AM


All times are GMT. The time now is 03:11 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick