Re: OpenSSH

[Peter Bruderer <brudy () bruderer-research com>]

First of all, go to openssh-3.4p1
openssh 3.2.2 is still vulnerable.

Second: have you set 

ChallengeResponseAuthentication no 
UsePrivilegeSeparation yes
PAMAuthenticationViaKbdInt no

in the config file?

On Friday 06 September 2002 20:41, Jeremy Junginger wrote:
> Hello,
>
> I am back again, and auditing an internally accessible ssh server for
> the challenge-response buffer overflow.  I'll keep it brief:
>
> OS: RedHat Linux (6.2)
> SSH Version:  SSH-1.99-OpenSSH_3.1p1
>
> I have already done the following:
>
> Downloaded and extracted openssh-3.2.2p1.tar.gz
> Patched the client with ssh.diff (patch < ssh.diff)
> Compiled patched client ( ./configure && make ssh)
> Run the "patched" ssh (./ssh x.x.x.x)
>
> I am receiving the following output
> ./scanssh 172.16.51.23
> [*] remote host supports ssh2
> [*] server_user: root:skey
> [*] keyboard-interactive method available
> [x] bsdauth (skey) not available
> Permission denied (publickey,password,keyboard-interactive).
>
> I have not investigated any further, but don't feel comfortable calling
> the service "secured" without a little peer review.  Do you have any
> tips on manipulating the method, style, repeats, chunk size, or
> connect-back shellcode repeat?  Any ideas will be greatly appreciated.
> Thanks, and have a great day!
>
> -Jeremy

-- 
  Peter Bruderer                 mailto:brudy () bruderer-research com
  Bruderer Research GmbH                      Tel ++41 52 620 26 53
  IT Security Services                        Fax ++41 52 620 26 54
  CH-8200 Schaffhausen             http://www.bruderer-research.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/