Security Incidents mailing list archives
Re: Attacks against SSH?
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Tue, 4 Dec 2001 12:31:28 -0500 (EST)
ver>=2.3.0 of openssh patched the vulnerability http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Also; here's a recent sanitized targets file for the x2 executable: -----begin targets----- SSH-1.5-1.2.27,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0 Small - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0 Big - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,1 -----end targets----- -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Tue, 4 Dec 2001 johan.augustsson () adm gu se wrote:
"f.johan.beisser" wrote:i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to 3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack the CRC bug in unpatched/vulnerable versions of ssh. the exploit is (supposedly) encrypted, stripped, and for x86 linux. the binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's ruffly 1.4 megs in size. i've only seen it as "x2".I know that the x2 binary uses a targetfile with some offsets for different sshd. The one I've seen omly contains offsets for SSH-1.2.27 and OpenSSH-2.2.0p1. If this exploit really works against OpenSSH-2.9.9 you'll need a targetfile with the offsets for OpenSSH-2.9.9. /Johan Augustsson -------------------------------------------------------------------- Johan Augustsson Phone: +46 (0)31 773 1000 Incident Response Team Fax: +46 (0)31 773 1087 G?teborg University E-mail: Johan.Augustsson () adm gu se Sweden -------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Attacks against SSH? johan . augustsson (Dec 03)
- Re: Attacks against SSH? Aaron Schultz (Dec 03)
- Re: Attacks against SSH? f.johan.beisser (Dec 03)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? Jordan K Wiens (Dec 04)
- Re: Attacks against SSH? Dave Dittrich (Dec 04)
- Re: Attacks against SSH? Jason Baker (Dec 04)
- Re: Attacks against SSH? Michal Zalewski (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 04)
- Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)
- SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)