OpenSSH Remote Challenge Vulnerability

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at remotely-exploitable vulnerabilities in OpenSSH and Apache; a denial-of-service attack against BIND 9; buffer overflows in libc, tcpdump, and some RADIUS daemons; and problems in dnstools, XChat, UnixWare and Open UNIX's ppptalk, and IRIX's pmpost.

OpenSSH Remote Challenge Vulnerability

OpenSSH, a free version of SSH (Secure Shell), is vulnerable to a buffer overflow attack in the challenge response code, which can be used by a remote attacker to gain root access to a server. In addition, OpenSSH versions 2.9.9 through 3.3 are vulnerable to an integer overflow that also can be used to gain root access, versions 2.3.1 through 3.3 are vulnerable to a problem in PAMAuthenticationViaKbdInt, and versions between 2.9.9 and 3.3 have a bug in ChallengeResponseAuthentication. Distributions known to be vulnerable include OpenBSD 3.0, OpenBSD 3.1, FreeBSD-Current, and any system using OpenSSH version 3.0 through 3.2.3. Only OpenSSH versions compiled with the SKEY or BSD_AUTH are vulnerable to the challenge-response vulnerability.

It is recommended that users of OpenSSH upgrade to version 3.4 or newer as soon as possible and that UsePrivilegeSeparation be configured.


There is a remotely exploitable vulnerability in the Apache Web server that can be used to execute arbitrary code on the server with the permissions of the user account running Apache. It has been reported that all versions of Apache before 1.3.26 and 2.0.37 are vulnerable. Exploit programs have been released that automate the exploitation of this vulnerability under OpenBSD, FreeBSD, and NetBSD. It is very likely that other exploit scripts or applications have been or will be released for other operating systems.

Related Reading

SSH, The Secure Shell: The Definitive Guide
By Daniel J. Barrett, Richard E. Silverman

Users should upgrade to a repaired version of the Apache Web server. It has been reported that the repaired versions are 2.0.39 and 1.3.26. Update packages have been announced for Red Hat Linux, Mandrake Linux, Slackware Linux, OpenLinux, IBM Linux Affinity, OpenPKG, Unisphere Networks SDX-300 Service Deployment System, and EnGarde Secure Linux.


BIND 9 is vulnerable to a denial-of-service attack that, when exploited, will cause the BIND daemon to shut down. The denial-of-service attack is conducted by sending a carefully-crafted DNS packet that causes a function to call abort() and shut down the BIND daemon. The attacker cannot cause code to be executed, nor any files to be written, by exploiting this problem. BIND versions 4 and 8 are not reported to be vulnerable.

Affected users should upgrade to BIND 9.2.1 or watch their vendor for an update. Packages containing a repaired version of BIND have been announced for SuSE Linux, Conective Linux, OpenUnix, and Red Hat Linux.


A buffer overflow in the DNS resolver code of libc has been reported. This buffer overflow may be exploitable by an attacker that controls a DNS server to send a reply that will overflow the library function (the example given in the report was the function gethostbyname) on the local machine, and allow the attacker to execute arbitrary code.

It is reported that libc in the CVS repositories for FreeBSD, NetBSD, and OpenBSD have been fixed.


There are several buffer overflows in tcpdump that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the account running tcpdump (often root).

Affected users should upgrade to an updated tcpdump package. Repaired packages have been announced for SuSE Linux, Conectiva Linux, OpenLinux, and Trustix Secure Linux.


Several RADIUS servers, including radiusd-cistron, freeradius, livingston-radius, and radiusclient, are vulnerable to a buffer overflow in the code that deals with digest calculations. This buffer overflow can be used by a remote attacker to execute arbitrary code on the server using the permissions of the user running the RADIUS daemon.

It is recommended that users upgrade their affected RADIUS daemon to a repaired version. The buffer overflow is reported to be fixed in version 1.6.5 of radiusd-cistron and version 0.3.2 of radiusclient.


dnstools is a Web-based DNS configuration and administration tool. It has a flaw that can be used by an attacker to access pages with administrative privileges, allowing the attacker to modify the DNS records on the server.

Users should upgrade to version 2.0 beta 5 as soon as possible.


The XChat Internet Relay Chat (IRC) client is vulnerable to a remote attack that can be used to execute arbitrary commands on the client with the permissions of the user running XChat. The attacker must control an IRC server that the client connects to, and cause it to send a malicious response back to the client during a /dns command, in order to exploit this vulnerability.

Users should upgrade XChat to version 1.8.9 or newer as soon as possible.

UnixWare and Open UNIX ppptalk

ppptalk under Open UNIX and UnixWare is vulnerable to a local attack that can be exploited to gain root. This vulnerability affects UnixWare 7.1.1 and Open UNIX 8.0.0.

ppptalk should be upgraded to the latest packages or should have its set user id bit removed.

IRIX pmpost

pmpost, part of the Performance Co-Pilot, has a bug that can be used by a local attacker to append data to system files, possibly leading to a root compromise. The Performance Co-Pilot package is not installed by default on IRIX 6.5 systems.

Affected users should contact SGI for updated packages. Users who choose to not upgrade the Performance Co-Pilot package should remove the set user id bit from /usr/pcp/bin/pmpost. SGI states that removing the set user id bit will cause non-root processes to not be able to append to /var/adm/pcplog/NOTICES.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2017 O'Reilly Media, Inc.