{"id":324,"date":"2012-04-10T00:52:14","date_gmt":"2012-04-09T22:52:14","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=324"},"modified":"2012-04-10T00:54:52","modified_gmt":"2012-04-09T22:54:52","slug":"cve-2011-5000","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=324","title":{"rendered":"CVE-2011-5000: OpenSSH vulnerability"},"content":{"rendered":"<p>First of August 2011 was the date when I decided to publish advisory about vulnerability in OpenSSH\u00a0 daemon. If someone read carefully advisory he will discover this bug was found in 2008. It took me quite a long time to publish details about vulnerability. I did it from a few reasons; at first I didn&#8217;t have a time to analyse details and bug was promising (pre-authentication). In this case advisory will never be public. Problem exists in GSSAPI module (native in OpenSSH source code). I checked many packages in many systems and it seems this method of authentication (gssapi-with-mic) is enabled by default in most of them. Everything was looking very promising \ud83d\ude09 After some months I returned to that problem and discovered that vulnerability is _EXACTLY_ after authentication (one call) so (un)fortunately this is post-authentication bug. Next I tried to find some other way to exploit it. Again I was starting to be busy and drop this project. Because of that finally I published the advisory maybe someone else is interesting to play with that. More information can be found <strong><a href=\"http:\/\/blog.pi3.com.pl\/?p=159\" target=\"_blank\">here<\/a><\/strong> and <strong><a href=\"http:\/\/site.pi3.com.pl\/adv\/ssh_1.txt\" target=\"_blank\">here<\/a><\/strong> \ud83d\ude42<\/p>\n<p>I&#8217;m writing this post because I&#8217;m happy to inform that my research officially got Common Vulnerabilities and Exposures (CVE) number (<strong><a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2011-5000\" target=\"_blank\">CVE-2011-5000<\/a><\/strong>).<\/p>\n<p>The latest version of OpenSSH has fix for this problem and can be found <strong><a href=\"http:\/\/www.openbsd.org\/cgi-bin\/cvsweb\/src\/usr.bin\/ssh\/gss-serv.c.diff?r1=1.22;r2=1.23\" target=\"_blank\">here<\/a><\/strong>. Fix exists only in the original source code but usually NOT in the official packages of popular systems (f.ex. like RedHat &#8211; more info <strong><a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=809938\" target=\"_blank\">here<\/a><\/strong>). Problem was solved by <strong><a href=\"http:\/\/wwwcip.informatik.uni-erlangen.de\/~msfriedl\/\" target=\"_blank\">Markus Friedl<\/a><\/strong> and I would like to thank him for cooperation \ud83d\ude42<\/p>\n<p>&nbsp;<\/p>\n<p>Best regards,<\/p>\n<p>Adam<\/p>\n","protected":false},"excerpt":{"rendered":"<p>First of August 2011 was the date when I decided to publish advisory about vulnerability in OpenSSH\u00a0 daemon. If someone read carefully advisory he will discover this bug was found in 2008. It took me quite a long time to publish details about vulnerability. I did it from a few reasons; at first I didn&#8217;t [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-324","post","type-post","status-publish","format-standard","hentry","category-o-wszystkim-i-o-niczym"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=324"}],"version-history":[{"count":5,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/324\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/324\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}