"A is for Amy who fell down the stairs, B is for Basil assaulted by bears.
C is for Clair who wasted away, D is for Desmond thrown out of the sleigh.
E is for Ernest who choked on a peach, F is for Fanny, sucked dry by a leech.
G is for George, smothered under a rug, H is for Hector, done in by a thug.
I is for Ida who drowned in the lake, J is for James who took lye, by mistake.
K is for Kate who was struck with an axe, L is for Leo who swallowed some tacks.
M is for Maud who was swept out to sea, N is for Nevil who died of enui.
O is for Olive, run through with an awl, P is for Prue, trampled flat in a brawl
Q is for Quinton who sank in a mire, R is for Rhoda, consumed by a fire.
S is for Susan who parished of fits, T is for Titas who flew into bits.
U is for Una  who slipped down a drain, V is for Victor, squashed under a train.
W is for Winie, embedded in ice, X is for Xercies, devoured by mice.
Y is for Yoric whose head was bashed in, Z is for Zilla who drank too much gin."
                -- Edward Gorey "The Gastly Crumb Tines"

Monday, July 1, 2002.

Today is a glorious day to seek fame.

A few days ago, an security consultant (who wishes his name not be published), who works for a large security company (who wouldn't want to be linked to GOBBLES, even by friendship) sent GOBBLES email concerning the recent ISS advisory and the reset of OpenBSD's claim for invulnerability.  A small excerpt from the email is pasted below.

	". . . is this actually exploitable?  [censored] has received many
	 reports from our researchers that it cannot be exploited, and 
	 a lot of the community is wondering if this release is just some
	 publicity stunt from ISS, in partnership with Theo, to recover 
	 from the public humiliation you subjected them to with the whole
	 chunking/scalp incident?  Any insight on this matter would be
	 greatly appreciated."

First, a few things that should be noted.

1) w00w00 has a slew of private IRC client vulnerabilities and exploits.
2) Theo D. (no relationship to Mike D.) irc's in the w00w00 channel from cvs.openbsd.org.  This is very bad, if he was actually security concious, he would realize this instant ramifications of his account being comprimised -- instant backdooring of the OpenBSD cvs.
3) Only security geniuses like Solar Designer and Theo are capable of grasping the concept of privilage seperation.  Idiot's like lcamtuf think a chroot'd process with no files to execute can lead to a comprimise via kernel bugs and unrestricted IPC.  Maybe it'd be a good idea to work on implementing various chroot restrictions, but until then, we'll privsep you, Theo.

Now, some interesting things happened with this whole incident.  First, Theo sends out a mass announcement to just about every OS vendor out there, talking about how there will be advisories published in the near future concerning remote preauthentication remote root hole(s?) in OpenSSH, and that everyone needs to immediately install the latest version of OpenSSH that has privilage seperation enabled to reduce the impact of the bug when it is released.  The strange thing is, the bug really is limited to exploitation on *BSD distributions (per default installations, to those critics).

Alan Cox made some funny statements to Theo, that apperently flew over our egomaniac's head.

The truth is, the community has been laughing at Theo for years, at his bragging about the "security" of the default installation of OpenBSD.  Of course it can't be comprimised, it doesn't run anything!  He's slowly been allowing "trusted" services to be added to the installation (comsat, portmapper), but the pressure was on to install his group's SSH daemon.  "If it's so secure, and you're all so great, why don't you include it in your default install, you coward?"

Theo wanted to overplay the extent of this vulnerability to try to bring the other developers down with him.  Sorry Theo, you lose again.

So finally he has balls enough to do it, and now it's shoved in his face that OpenSSH is crappy code.  He got his team of Michigan hackers (Michigan hackers are the best writers, btw!, but not the ones that this release focuses on) to implement this "privsep" functionality, which really adds no layer of security whatsoever when dealing with a skilled attacker, but rather just another layer false security for the general population to blindly believe in.  Hey Theo, we know all your secrets, and the secret of OpenBSD...

Interestingly enough, www.citi.umich.edu (home of Neils Provos and Doug Sniff) is vulnerable to public Apache exploits, and now a public OpenSSH/OpenBSD exploit, and they're the ones responsible for developing this "privsep" technology.  Makes you wonder about some things, doesn't it?  CITI is the home of some really great security research, like great papers on NFS security and other IETF security stuff or whatever.

Now, back to the question at hand, which is: Ok, we understand that the bug in OpenSSH is, for all practical purposes, limited to OpenBSD (hi critics!), but what we really want to know is -- is this bug exploitable or not?

Greets to Vigilante, btw!

The answer is that Duke is a very skilled man, and yes indeed this bug is exploitable.  If ISS had thought it wasn't exploitable, they would have stated so in their rushed security advisory instead of thinking things through, but if they were sure it is exploitable, then they wouldn't lie to you.

Still, there are those that have doubts.  We feel this vulnerability has been known about for long enough, and that anyone who is vulnerable and wants to be secure has patched, so we see no ethical reasons to keep this exploit private any longer (rhetoric borrowed from zen-parse, he's our hero), so we offer this up to you and the gods of infosec.

Also, we're not sure why our posts to vuln-dev were blocked on the matter, but we're not too certain that a local off-by-one vulnerability in mod_ssl is a huge security problem.  At the end of all the conversation of signalling, ptrace abuse, and other mischief that can be made with uid(nobody), no one seems to think of the following:

	1) Exploits that gain you a lower privilage than what you start with
	   are funny.
	2) Access to create a .htaccess file is usually "higher" than the
	   privilages you'll gain from local exploitation of mod_ssl.
	3) ExecCGI anyone?  What's stopping a "normal" system user from 
	   installing their own CGI that does the ptrace/signalling abuse?
	   Wouldn't this be more practical/easier in most scenarios than 
	   trying to exploit mod_ssl?
	4) For the three "shared" hosting servers out there that don't allow
	   custom scripts, php, ssi, whatever, this might be close to being
	   considered a problem, but realisticly it isn't anything to fuss
	   about.
	5) Blue Boar?

We're still uncertain why Theo denies that talkd was vulnerable, but whatever, it seems that only bugs disclosed by whitehats from ADM and not blackhats from ADM can be counted against his now imperfect record.

July is an important month in American history, and to pay homage to our great land, we will be releasing some of our own patches for OpenSSH to show our patriotisim, including what we like to call "The US Patriot Patch" for OpenSSH.  Even though George Bush is a dork, he's doing a very good job of holding our country through in these dark days, and that is something that everyone should take note of.  Appreciate what we have here in America, take pride in our land, and keep ourselves both free and safe.

God Bless.
