Re: SSH Protocol Trick

[stealth <stealth () segfault net>]

On Mon, Jul 22, 2002 at 04:43:41PM -0700, auto458545 () hushmail com wrote:

Hi,

<note-to-moderator>
I'd appreciate if you can approve this ;-)
</..>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> SSH Protocol Weakness Advisory
> Monday, July 22 2002
> - - rtm
>
> OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59)
> and I discovered that an old little technique of SSH man in the middle attacks I had been working
> on was now part of a Phrack article....
Obviously half of the world already knew all of the tricks.
If so why didnt *YOU* tell it the world??

> Luckily, source code hadn't been disclosed yet, and neither will mine. I just wanted to get this
> issue out in the open so people could secure themselves while they can.
> Remember, that the ssh daemon
>
> So far, all vendors are vulnerable to this little trick, including commercial based SSH and OpenSSH.
> http://www.ssh.com
> http://www.openssh.com
>
> You can find more details about the attack at http://www.sekurityfocus.com/phrack59/
> (Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org)
>
> Basically, ssh daemons advertise one of two major versions, depending on what is supported by the
> software /configuration files, for SSH protocol version 1, or 2. Compatibility mode is enabled with a
> version of 1.99. It is servers which advertise this compatibility mode of 1.99 which are vulnerable to
> the attack. Servers in compatability mode have both protocols 1 and 2 enabled.
> If the client has a key enabled for say, only SSH protocol 1 or 2, the malicious interloper, "Mallory,"
> using ssh mitm arp techniques which are available in say, ettercap or dsniff, can advertise the opposite
> protocol in the fake sshd version string used in the banner handshake.
> If a client has only used say, SSH 1 authentication in the past, it will not contain a SSH2 key, so
> no "Host Identification has changed" message will be present when the fake server advertises its public
> host key. The targeted victim will only see a "KEY NOT PRESENT" prompt and will be asked if they want
> to add the key.
> Obviously, this removes some of the fear paranoid users would feel when facing a real mitm attack.
> Remember, this is not a direct vulnerability in the SSH 1 or 2 protocols, but rather a slight trick that
> can be abused.
Good you explain it again. Doppelt haelt besser. :) 

I am already in contact with SSH vendors. Might be that fixes are not necessary because
its not a bug someone can exploit without help of the user.

The phrack article which is also available as .pdf paper is part of research I do at university
and was not ment for public before phrack59 is released. It is part of deeper research regarding
weaknesses in SSH (yes, there are more!) and nobody wants inaccurate or incomplete papers,
or do you like them Robert?

Additionally because leaks are expected especially in such topics like SSH proto
analyzation the "exploit" tool has not yet been released so kids have no chance to do
any harm. 

thanks,
S.