Re: SSH2 Exploit?

[H D Moore <sflist () digitaloffense net>]

This is a ssh1 crc32 auto-rooter, courtesy of incident response:

http://www.digitaloffense.net/autossh.tgz

You have 24 hours to grab a copy before I remove it. I have not checked the 
contained binaries for trojans or virii yet, so please dont run them unless 
you verify them yourself. An auto-rooter would not be created if the exploit 
it used (x2) doesn't work...

On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote:
> There's nothing here that actually suggests the systems were compromised
> via sshd, neither sshd1 nor sshd2.  Nor is there an actual accounting of
> what other services were open for possible exploit on the systems in
> question.  Nothing about the kernels chosen and possible problems there,
> nor if the systems were acutally remotely exploited of if <as is much more
> possible> that an internal user on the systems actually rooted the
> systems.  I have seen code to scan for sshd1, seen the traces in my logs,
> and there have been hints of possible sshd1 exploit code ciculating for
> awhile now, with no real evicdence presented there is such an exploit in
> use that works remotely.  Those exploits of sshd1 that have been suggested
> are far above the needs and skills of simple skript-kiddies though.  SSHD2
> that I've seen vulnerabilites mentioned for though are those that include
> sshd1 support, so, if there is real evidence of an sshd2 remote exploit or
> even a remote sshd1 exploit in acutal use, then, I'd certainly like to see
> the code or binaries in question.  Otherwie, we only have rumrrs of such
> and most likely have systems hacked via other vectors that are used to
> scan for possibly exploitable sshd's, and these scans are possibly placed
> for scare tactics or diversion from the real purpose of the rooting that
> has taken place.
>
> Thanks,
>
> Ron DuFresne