Full Disclosure mailing list archives
RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!*
From: "Brian Dinello" <brian.dinello () vigilantminds com>
Date: Fri, 19 Sep 2003 11:38:24 -0400
All: Just to add to the readily growing list of stupid things this "exploit" does, it set off my Snort IDS when attemping to root my test box. Looks like it _may_ actually incorporate some shell code in a REALLY old CRC32 overflow from 2001. Here's the CVE link, if anyone's interested: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144 And the snort sig that it hit: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;) And the systems that it _may_ be able to affect/infect: Affected Systems: OpenSSH versions prior to 2.2 Multiple Cisco network devices Multiple Netscreen network devices SSH Secure Communications prior to 1.2.31 Needless to say, I doubt anyone will soon be reporting any instances of this piece of code actually doing anything to a remote host. Brian Dinello, CISSP -----Original Message----- From: Adam Balogh [mailto:adam () vattnet net] Posted At: Friday, September 19, 2003 8:59 AM Posted To: Full Disclosure Conversation: [Full-Disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!* Subject: Re: [Full-disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!* Probably a scriptkiddie or some random idiot. The fun part was it came up totally different offsets then i mean TOTALLY different each time you ran it and if you gave it a offset it would "work" no matter what. For those people who ran it.. change all your passwords. :) /Adam Vitaly Osipov wrote: On Fri, 2003-09-19 at 14:21, V.O. wrote:
Yeah, I missed the fact that after "calculating" the offset it starts to "exploit" in the same way as if it was given an offset as a parameter. Anyway, I simply wanted to note that whoever posted it here
was either knowingly lying about its purpose or not having a clue about UNIX at all :) W. ----- Original Message ----- From: "Adam Balogh" <adam () vattnet net> To: "Full Disclosure" <full-disclosure () netsys com> Sent: Friday, September 19, 2003 9:47 PM Subject: Re: [Full-disclosure] Re: new openssh exploit in the wild! *
isFAKE
AS SH@!*Vitaly Osipov wrote:which is obviously not true. Btw as far as I understand, the troyan codeis triggered whenthe "exploit" is run with the offset specified, and not in a"bruteforcing" mode.W.Me and my friend tried to run it on a lab-box thats not connected directly to internet and doesnt relay mails. It doesn't use that special offset as a trigger. We got so many "sys3" accounts in /etc/passwd as many times we ran it plus those outgoing-mails que'd. /Adam Balogh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Schmehl, Paul L (Sep 19)
- Re: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Cael Abal (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Adam Balogh (Sep 22)
- <Possible follow-ups>
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Brian Dinello (Sep 19)
- Re: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Patrick Dolan (Sep 19)