OpenSSH

["Jeremy Junginger" <jjunginger () usbestcrm com>]

Hello,

I am back again, and auditing an internally accessible ssh server for
the challenge-response buffer overflow.  I'll keep it brief:

OS: RedHat Linux (6.2)
SSH Version:  SSH-1.99-OpenSSH_3.1p1

I have already done the following:

Downloaded and extracted openssh-3.2.2p1.tar.gz
Patched the client with ssh.diff (patch < ssh.diff)
Compiled patched client ( ./configure && make ssh)
Run the "patched" ssh (./ssh x.x.x.x)

I am receiving the following output
./scanssh 172.16.51.23
[*] remote host supports ssh2
[*] server_user: root:skey
[*] keyboard-interactive method available
[x] bsdauth (skey) not available
Permission denied (publickey,password,keyboard-interactive).

I have not investigated any further, but don't feel comfortable calling
the service "secured" without a little peer review.  Do you have any
tips on manipulating the method, style, repeats, chunk size, or
connect-back shellcode repeat?  Any ideas will be greatly appreciated.
Thanks, and have a great day!

-Jeremy

Attachment: smime.p7s
Description: