Re: Attacks against SSH?

[Dave Dittrich <dittrich () cac washington edu>]

> i've seen quite a few attempts against sshd in the last few days,
> since rumours of a "new OpenSSH exploit" started wandering around.

This is not a rumor.

> the thread can be found here:
>
> http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1
>
> it's a tad bit short on technical details.. but, to summerise:
>
>       1. There is still no proven exploit against OpenSSH 2.3
>          and newer (that i've seen).
>
>       2. there has been a rise in attacks on ssh daemons in the
>          last week.

I would concur with both points.  Word has not been getting around
fast enough, so there are still many vulnerable systems out there
being exploited.  See Niels Provos' post to BUGTRAQ with graphs
showing this, and a tool for scanning your network:

        http://www.citi.umich.edu/u/provos/ssh/

> i tested out a binary exploit that "supposedly" worked on OpenSSH
> 2.3 to 3.0 (but not 3.0.1p1), and had it fail each time. it
> aparently does attack the CRC bug in unpatched/vulnerable versions
> of ssh.

...same here.

> the exploit is (supposedly) encrypted, stripped, and for x86 linux.

Not supposedly, or stripped (to be precise), but the x86 Linux
part is for sure.  Put it this way; you won't find anything by
just running "strings". ;)

This binary has been found in several places around the world
over the past two weeks, in one case part of a rootkit including
the Adore LKM and Universal rootkit for SUSE Linux w/default 0xff
XORed config file (K2 - you owe me ANOTHER beer;) For more on how to
"decrypt" this config file ("uconf.inv"), see the Honeynet Project's
Scan of the Month #16 at:

        http://project.honeynet.org/scans/scan16/

(If they figure out how to modify the source, you'll have to write a
simple Perl script to try 0x00 through 0xfe to make it readable, or
follow the methods used in the winning Scan of the Month entry.)

This exploit is indeed a different crc32 exploit than the one I
analyzed a couple weeks ago, but it affects the same set of systems as
the one I analyzed.  For those who haven't seen it, the analysis
includes examples and a script for scanning your network to identify
*potentially* vulnerable systems (you need to check the version of
your protocol 1 fallback server separately, if you allow fallback):

        http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

This exploit behaves slightly differently in that it gives a root
shell directly (after first returning the output of the "hostname",
"uname -a", and "id" commands).

> the
> binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
> ruffly 1.4 megs in size. i've only seen it as "x2".

By the way.  Thanks very much for including an MD5 hash.  That helps a
great deal in determining if something is new/old/changed.  I've also
seen it named "x1" (but its the same binary - Thanks David.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com