SSL and SSH

Gerald Combs gerald at ethereal.com
Thu Mar 21 21:04:51 CST 2002 

On Thu, 21 Mar 2002, Brian Densmore wrote:

> Static linking is generally a very bad thing. Think about all those
> applications out there that are static linked to zlib 1.1.3. They all
> now have to be recompiled with zlib 1.1.4 to fix the "double free" root
> exploit. Anyone figured out how to use it yet? Please don't post it, if
> you have. I am just wondering. I haven't figured out a way to exploit
> from an external machine. I could write a program to do it, but then the
> problem is to get it on to a box and then execute it. I'm not sure how
> you would do it without putting your own trojan on the box first. So you
> would have to have an exploit to exploit the exploit!? That new PHP
> exploit actually sounds rather bad though.

Most browsers support zlib-compressed data streams, e.g. if you have
"file.txt.gz" or "file.html.gz" on your web server, Mozilla, Netscape, and
IE will happily decompress them on the fly.  If you can manage to find an
exploit using this method you might be able to run arbitrary code on
someone's machine simply by getting them to load a web page (or by sending
them an email in the case of Outlook).

> Brian
> 
> > -----Original Message-----
> > From: JD Runyan [mailto:Jason.Runyan at nitckc.usda.gov]
> > Sent: Thursday, March 21, 2002 11:41 AM
> > To: KCLUG (E-mail)
> > Subject: Re: SSL and SSH
> > 
> > 
> > You can compile it with static linking of the ssl libraries, 
> > but I think you
> > would have to use another machine to generate keys.
> > On Mar 21 11:13, Brian Densmore wrote:
> > > ssh depends on ssl. Can't install ssh if you don't have 
> > ssl. At least
> > > none of the versions I have ever seen let you. I'd be interested in
> > > knowing of anyone who has installed ssh without ssl. Not that I
> > > recommend it.
> > > 
> > > > -----Original Message-----
> > > > From: Jonathan Hutchins [mailto:hutchins at opus1.com]
> > > > Sent: Thursday, March 21, 2002 11:08 AM
> > > > To: Brian Densmore; KCLUG (E-mail)
> > > > Subject: Re: Permissions Question
> > > > 
> > > > 
> > > > ----- Original Message ----- 
> > > > From: "Brian Densmore" <DensmoreB at ctbsonline.com>
> > > > 
> > > > 
> > > > > Install openssl and openssh. 
> > > > 
> > > > You explain what Seth will be doing with SSH, but why does he 
> > > > need ssl too?
> > > > 
> > > > 
> > > 
> > > 
> > majordomo at kclug.org
> > 
> > -- 
> > JD Runyan
> > Mid-Range Systems Administrator
> > USDA NITC Kansas City
> > 
> > 
> > majordomo at kclug.org
> > 
> 
> 
>

More information about the Kclug mailing list