Security Incidents mailing list archives

Re: Attacks against SSH?

From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Tue, 4 Dec 2001 12:31:28 -0500 (EST)

ver>=2.3.0 of openssh patched the vulnerability

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

Also; here's a recent sanitized targets file for the x2 executable:

-----begin targets-----
SSH-1.5-1.2.27,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0
Small - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0
Big - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,1
-----end targets-----

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Tue, 4 Dec 2001 johan.augustsson () adm gu se wrote:

"f.johan.beisser" wrote:

i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to
3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack
the CRC bug in unpatched/vulnerable versions of ssh.

the exploit is (supposedly) encrypted, stripped, and for x86 linux. the
binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
ruffly 1.4 megs in size. i've only seen it as "x2".



I know that the x2 binary uses a targetfile with some offsets for
different sshd. The one I've seen omly contains offsets for SSH-1.2.27
and OpenSSH-2.2.0p1. If this exploit really works against OpenSSH-2.9.9
you'll need a targetfile with the offsets for OpenSSH-2.9.9.


/Johan Augustsson

--------------------------------------------------------------------
Johan Augustsson                 Phone: +46 (0)31 773 1000
Incident Response Team           Fax: +46 (0)31 773 1087
G?teborg University              E-mail: Johan.Augustsson () adm gu se
Sweden
--------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Attacks against SSH? johan . augustsson (Dec 03)
- Re: Attacks against SSH? Aaron Schultz (Dec 03)
- Re: Attacks against SSH? f.johan.beisser (Dec 03)
  - Re: Attacks against SSH? johan . augustsson (Dec 04)
    - Re: Attacks against SSH? Jordan K Wiens (Dec 04)
  - Re: Attacks against SSH? Dave Dittrich (Dec 04)
    - Re: Attacks against SSH? Jason Baker (Dec 04)
    - Re: Attacks against SSH? Michal Zalewski (Dec 04)
    - Re: Attacks against SSH? Russell Fulton (Dec 04)
    - Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
  - Re: Attacks against SSH? Jason Robertson (Dec 04)
    - Re: Attacks against SSH? f.johan.beisser (Dec 04)
    - SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)

(Thread continues...)