SSL and SSH
Jeremy Fowler
jfowler at westrope.com
Thu Mar 21 20:20:32 CST 2002
The exploit double frees a memory location which causes a sigfault (that's what
happens in UNIX anyway) and crashes any program that uses the old library. I
doubt you can gain root access from a sigfault; however, I could be
wrong. -Jeremy
> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Brian Densmore
> Sent: Thursday, March 21, 2002 1:20 PM
> To: KCLUG (E-mail)
> Subject: RE: SSL and SSH
>
>
> Static linking is generally a very bad thing. Think about all those
> applications out there that are static linked to zlib 1.1.3. They all
> now have to be recompiled with zlib 1.1.4 to fix the "double free" root
> exploit. Anyone figured out how to use it yet? Please don't post it, if
> you have. I am just wondering. I haven't figured out a way to exploit
> from an external machine. I could write a program to do it, but then the
> problem is to get it on to a box and then execute it. I'm not sure how
> you would do it without putting your own trojan on the box first. So you
> would have to have an exploit to exploit the exploit!? That new PHP
> exploit actually sounds rather bad though.
>
> Brian
>
> > -----Original Message-----
> > From: JD Runyan [mailto:Jason.Runyan at nitckc.usda.gov]
> > Sent: Thursday, March 21, 2002 11:41 AM
> > To: KCLUG (E-mail)
> > Subject: Re: SSL and SSH
> >
> >
> > You can compile it with static linking of the ssl libraries,
> > but I think you
> > would have to use another machine to generate keys.
> > On Mar 21 11:13, Brian Densmore wrote:
> > > ssh depends on ssl. Can't install ssh if you don't have
> > ssl. At least
> > > none of the versions I have ever seen let you. I'd be interested in
> > > knowing of anyone who has installed ssh without ssl. Not that I
> > > recommend it.
> > >
> > > > -----Original Message-----
> > > > From: Jonathan Hutchins [mailto:hutchins at opus1.com]
> > > > Sent: Thursday, March 21, 2002 11:08 AM
> > > > To: Brian Densmore; KCLUG (E-mail)
> > > > Subject: Re: Permissions Question
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian Densmore" <DensmoreB at ctbsonline.com>
> > > >
> > > >
> > > > > Install openssl and openssh.
> > > >
> > > > You explain what Seth will be doing with SSH, but why does he
> > > > need ssl too?
> > > >
> > > >
> > >
> > >
> > majordomo at kclug.org
> >
> > --
> > JD Runyan
> > Mid-Range Systems Administrator
> > USDA NITC Kansas City
> >
> >
> > majordomo at kclug.org
> >
>
>
More information about the Kclug
mailing list