Bugtraq mailing list archives
Re: SSH Protocol Trick
From: stealth <stealth () segfault net>
Date: Tue, 23 Jul 2002 12:47:39 +0000
On Mon, Jul 22, 2002 at 04:43:41PM -0700, auto458545 () hushmail com wrote: Hi, <note-to-moderator> I'd appreciate if you can approve this ;-) </..>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SSH Protocol Weakness Advisory Monday, July 22 2002 - - rtm OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59) and I discovered that an old little technique of SSH man in the middle attacks I had been working on was now part of a Phrack article....
Obviously half of the world already knew all of the tricks. If so why didnt *YOU* tell it the world??
Luckily, source code hadn't been disclosed yet, and neither will mine. I just wanted to get this issue out in the open so people could secure themselves while they can. Remember, that the ssh daemon So far, all vendors are vulnerable to this little trick, including commercial based SSH and OpenSSH. http://www.ssh.com http://www.openssh.com You can find more details about the attack at http://www.sekurityfocus.com/phrack59/ (Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org) Basically, ssh daemons advertise one of two major versions, depending on what is supported by the software /configuration files, for SSH protocol version 1, or 2. Compatibility mode is enabled with a version of 1.99. It is servers which advertise this compatibility mode of 1.99 which are vulnerable to the attack. Servers in compatability mode have both protocols 1 and 2 enabled. If the client has a key enabled for say, only SSH protocol 1 or 2, the malicious interloper, "Mallory," using ssh mitm arp techniques which are available in say, ettercap or dsniff, can advertise the opposite protocol in the fake sshd version string used in the banner handshake. If a client has only used say, SSH 1 authentication in the past, it will not contain a SSH2 key, so no "Host Identification has changed" message will be present when the fake server advertises its public host key. The targeted victim will only see a "KEY NOT PRESENT" prompt and will be asked if they want to add the key. Obviously, this removes some of the fear paranoid users would feel when facing a real mitm attack. Remember, this is not a direct vulnerability in the SSH 1 or 2 protocols, but rather a slight trick that can be abused.
Good you explain it again. Doppelt haelt besser. :) I am already in contact with SSH vendors. Might be that fixes are not necessary because its not a bug someone can exploit without help of the user. The phrack article which is also available as .pdf paper is part of research I do at university and was not ment for public before phrack59 is released. It is part of deeper research regarding weaknesses in SSH (yes, there are more!) and nobody wants inaccurate or incomplete papers, or do you like them Robert? Additionally because leaks are expected especially in such topics like SSH proto analyzation the "exploit" tool has not yet been released so kids have no chance to do any harm. thanks, S.
Current thread:
- SSH Protocol Trick auto458545 (Jul 22)
- Re: SSH Protocol Trick H D Moore (Jul 22)
- Re: SSH Protocol Trick stealth (Jul 23)
- Message not available
- Re: SSH Protocol Trick stealth (Jul 23)
- Message not available
- Re: SSH Protocol Trick Mikael Olsson (Jul 23)
- Re: SSH Protocol Trick Markus Friedl (Jul 25)