Security Incidents mailing list archives

Re: Attacks against SSH?

From: "f.johan.beisser" <jan () caustic org>
Date: Mon, 3 Dec 2001 11:09:03 -0800 (PST)

On Mon, 3 Dec 2001 johan.augustsson () adm gu se wrote:


I stumbeled over this post at openssh-unix-dev mailinglist last week -
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
RedHat 7.0) up and running when he received what looks to be a
CRC32-attack. A few minutes later you can see (he posted parts of the
logfile) a new user being created with uid=0 and then how an connection
is made from system in Israel.

There has been no confirmation about what he writes but I recieved the
following mail as an answer of my questions.


[ text cut out]

So, to he main question.
Has anyone else had a system compromised by the CRC32-attack when
running a version of sshd that is believed to be secure? OpenSSH-2.3.0
or later, SSH 1.2.32 or later.


i've seen quite a few attempts against sshd in the last few days, since
rumours of a "new OpenSSH exploit" started wandering around.

the thread can be found here:

http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1

it's a tad bit short on technical details.. but, to summerise:

        1. There is still no proven exploit against OpenSSH 2.3
           and newer (that i've seen).

        2. there has been a rise in attacks on ssh daemons in the
           last week.

i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to
3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack
the CRC bug in unpatched/vulnerable versions of ssh.

the exploit is (supposedly) encrypted, stripped, and for x86 linux. the
binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
ruffly 1.4 megs in size. i've only seen it as "x2".


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan () caustic org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Attacks against SSH? johan . augustsson (Dec 03)
- Re: Attacks against SSH? Aaron Schultz (Dec 03)
- Re: Attacks against SSH? f.johan.beisser (Dec 03)
  - Re: Attacks against SSH? johan . augustsson (Dec 04)
    - Re: Attacks against SSH? Jordan K Wiens (Dec 04)
  - Re: Attacks against SSH? Dave Dittrich (Dec 04)
    - Re: Attacks against SSH? Jason Baker (Dec 04)
    - Re: Attacks against SSH? Michal Zalewski (Dec 04)
    - Re: Attacks against SSH? Russell Fulton (Dec 04)
    - Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
  - Re: Attacks against SSH? Jason Robertson (Dec 04)
    - Re: Attacks against SSH? f.johan.beisser (Dec 04)
    - SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)

(Thread continues...)