Snort mailing list archives
GOBBLES' OpenSSH exploit.
From: Andreas Östling <andreaso () it su se>
Date: Mon, 1 Jul 2002 23:20:08 +0200 (CEST)
Hello, I guess most people have seen the OpenSSH exploit that GOBBLES just published ("sshutuptheo"). It obviously works very well (no, I didn't care to check it for backdoors and I'm doing this on offline machines :) ) [foo@192.168.1.3 openssh-3.4p1]$ nc 192.168.1.1 22 SSH-1.99-OpenSSH_3.2 (./ssh is modified with GOBBLES' patch) [foo@192.168.1.3 openssh-3.4p1]$ ./ssh -l root 192.168.1.1 [*] remote host supports ssh2 [*] server_user: root:skey [*] keyboard-interactive method available [*] chunk_size: 4096 tcode_rep: 0 scode_rep 60 [*] mode: exploitation *GOBBLE* OpenBSD openbsd 3.1 GENERIC#59 i386 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) It seems impossible (or at least hard?) to catch the actual exploit using only content matching. However, this particular exploit (at least in its default mode), when successful, opens up a cleartext channel. The string "*GOBBLE*" will be echoed back to the attacker who then sends the "uname -a;id" string. The last part of a successful exploit as seen by snort: ... 07/01-19:38:58.480950 192.168.1.3:32801 -> 192.168.1.1:22 TCP TTL:64 TOS:0x0 ID:3033 IpLen:20 DgmLen:828 DF ***AP*** Seq: 0xC8ADB1BB Ack: 0xAA607671 Win: 0x2280 TcpLen: 32 TCP Options (3) => NOP NOP TS: 223646 1538159700 DC 49 E9 33 60 E1 DD CD FF 14 E4 72 36 43 55 B7 .I.3`......r6CU. 61 BD B9 BA CE 82 53 F6 D1 A1 5E A0 1E 98 3B 47 a.....S...^...;G F8 99 98 BB 39 9C 78 4F 23 FA A7 E1 0D C2 A5 69 ....9.xO#......i 27 2A 48 1C DC F3 CA 88 22 37 0C E4 B3 91 05 AA '*H....."7...... E6 AC 52 87 DF 45 16 62 8E 3A 60 8D B9 BC F8 36 ..R..E.b.:`....6 38 39 FE 47 AD D9 1C 86 CF 5B 8E F5 37 DB 08 B8 89.G.....[..7... 75 E9 99 EB 49 37 85 3F 66 76 61 24 E3 FB A6 55 u...I7.?fva$...U 67 96 49 76 9E B2 D8 7B D5 BC AA AC 3F 48 72 79 g.Iv...{....?Hry 96 59 F5 20 C9 1C 26 9F 0E AE 3D 70 58 95 AA 28 .Y. ..&...=pX..( 9B 83 E6 27 30 FB BC 12 FF 52 44 66 B2 15 19 45 ...'0....RDf...E 80 C9 48 AE D9 CA 50 73 FA 06 5F 3A 51 5E 4C E2 ..H...Ps.._:Q^L. 4B DB 38 4E 42 80 E0 01 2E C9 05 CD 6B DE F7 ED K.8NB.......k... F9 54 9F BC 87 45 C1 61 D4 EE CA A5 E1 55 B3 7E .T...E.a.....U.~ D0 E6 E9 C9 37 7B 68 3C A6 CA CF 3C 39 F7 E9 9E ....7{h<...<9... 99 2D E4 DA F7 73 55 E1 71 C4 90 FF 2B 60 8A E7 .-...sU.q...+`.. 01 5A 58 40 E5 C1 A3 31 1F 97 CA 8C 97 36 B5 7F .ZX@...1.....6.. C6 BC 6A 20 52 C9 64 6B 8A 83 73 03 27 AC 90 F1 ..j R.dk..s.'... 82 E6 B1 17 2E 5D 2E 39 10 59 F4 2F 62 5B 38 1F .....].9.Y./b[8. D3 78 10 D8 D0 F5 B7 6F 21 BF 69 FE 35 C5 0E 5D .x.....o!.i.5..] 8D 64 75 B3 6F 3B 5C F7 3D 69 DB 41 65 15 C1 48 .du.o;\.=i.Ae..H 70 EB F1 68 AB 2F 5F 95 40 92 C8 CC 26 BA A2 CC p..h./_.@...&... A8 D2 DD 54 85 69 11 47 9E 20 AC 68 BD 7A DE 87 ...T.i.G. .h.z.. 14 FA 5F 12 01 8F 2F D2 58 6B 3B 72 1B 0F 8B 50 .._.../.Xk;r...P EB F5 D3 68 40 7C F6 25 D0 69 9B 91 7A 18 ED 74 ...h@|.%.i..z..t 38 B7 30 32 65 07 29 8A E6 77 01 B1 DF AC B0 2D 8.02e.)..w.....- 63 37 F3 1F 3E 76 54 84 64 AA D2 B6 B9 1D 06 AF c7..>vT.d....... 1E 56 E0 65 80 DE F3 F2 BC 91 41 B9 7B 3A 14 88 .V.e......A.{:.. 9B BD 7F B0 32 E7 9F 97 9D D0 7C 9C DE 92 92 C7 ....2.....|..... 30 8A A1 52 C4 05 12 15 6F F5 08 99 C0 61 A4 91 0..R....o....a.. C0 A9 C6 0B 61 CD 0E 3B 4A AB C1 A8 03 21 29 C5 ....a..;J....!). D3 18 7B 03 BD 21 9B 44 E9 B8 71 73 73 78 AC EC ..{..!.D..qssx.. 97 5F 97 59 20 7F C0 68 7F 50 F0 60 B2 4F 72 A1 ._.Y ..h.P.`.Or. EB 74 DF 2A 67 BE 11 E7 4D 6A 9E 6D FB 4C 48 E8 .t.*g...Mj.m.LH. 00 AC 9F AD A4 8A 6B 54 D4 5D 96 19 F5 81 99 55 ......kT.].....U 9B 82 81 6C EF BF FD BD 60 4D 45 1F 9F 4D 7E 3A ...l....`ME..M~: 2B F9 EB BE 4F BB C2 EA 96 D6 9B 01 7E 0F 76 81 +...O.......~.v. 08 05 9B 4F 70 00 93 23 39 16 77 43 F6 D7 00 6C ...Op..#9.wC...l 65 86 E8 23 BC 97 3A B8 9B 1D 49 BA 07 07 F2 9D e..#..:...I..... 6D 56 F4 08 E4 B3 7B 44 8E 10 43 C5 0B CA 37 A8 mV....{D..C...7. 7D FA E9 57 96 0D 0A EF 21 DD 21 40 45 FE 7B 01 }..W....!.!@E.{. F7 FF 3D BE 1F AF DF B4 28 89 2B D6 B2 A8 D1 BB ..=.....(.+..... BD 23 62 4F FF 1E 0B BB 4E 45 86 C5 9C 5D 56 CE .#bO....NE...]V. FC 57 84 17 DD 9A B0 BE AE 4B 3D BB EA 14 AF 59 .W.......K=....Y 0F 5D DD 7C 03 BA 6C 7D F7 A7 E9 59 35 98 EF A2 .].|..l}...Y5... F5 D2 D6 8D 3F B0 77 E3 AB 5E 6B 34 E1 26 44 E3 ....?.w..^k4.&D. 0A CD 59 B0 F6 57 94 C2 B1 BB 26 1A 3E 5F 97 1D ..Y..W....&.>_.. F2 14 3C FC 69 14 28 19 77 BA 67 4D 7B E6 1A 7F ..<.i.(.w.gM{... 2F FD F4 2C 94 70 EE 53 07 66 D4 FA 98 1C C4 6D /..,.p.S.f.....m 7A CB 77 50 91 05 EA 6F z.wP...o =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.481304 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:61807 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAA607671 Ack: 0xC8ADA0C3 Win: 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223646 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.481586 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:34035 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAA607671 Ack: 0xC8ADAC13 Win: 0x21F0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223646 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.481780 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:37374 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAA607671 Ack: 0xC8ADB4C3 Win: 0x1940 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223646 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.482805 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:57417 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAA607671 Ack: 0xC8ADB4C3 Win: 0x42A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223646 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.498197 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:60287 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0xAA607671 Ack: 0xC8ADB4C3 Win: 0x43E0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223646 47 47 47 47 GGGG =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.498297 192.168.1.3:32801 -> 192.168.1.1:22 TCP TTL:64 TOS:0x0 ID:3034 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0xC8ADB4C3 Ack: 0xAA607675 Win: 0x2280 TcpLen: 32 TCP Options (3) => NOP NOP TS: 223647 1538159700 4F O =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.498731 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:43879 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0xAA607675 Ack: 0xC8ADB4C4 Win: 0x43E0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223647 2A 47 4F 42 42 4C 45 2A 0A *GOBBLE*. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.498773 192.168.1.3:32801 -> 192.168.1.1:22 TCP TTL:64 TOS:0x0 ID:3035 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0xC8ADB4C4 Ack: 0xAA60767E Win: 0x2280 TcpLen: 32 TCP Options (3) => NOP NOP TS: 223648 1538159700 75 6E 61 6D 65 20 2D 61 3B 69 64 0A uname -a;id. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.516744 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:61830 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0xAA60767E Ack: 0xC8ADB4D0 Win: 0x43E0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223648 4F 70 65 6E 42 53 44 20 6F 70 65 6E 62 73 64 20 OpenBSD openbsd 33 2E 31 20 47 45 4E 45 52 49 43 23 35 39 20 69 3.1 GENERIC#59 i 33 38 36 0A 386. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.548545 192.168.1.3:32801 -> 192.168.1.1:22 TCP TTL:64 TOS:0x0 ID:3036 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xC8ADB4D0 Ack: 0xAA6076A2 Win: 0x2280 TcpLen: 32 TCP Options (3) => NOP NOP TS: 223653 1538159700 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-19:38:58.549010 192.168.1.1:22 -> 192.168.1.3:32801 TCP TTL:64 TOS:0x0 ID:51141 IpLen:20 DgmLen:153 DF ***AP*** Seq: 0xAA6076A2 Ack: 0xC8ADB4D0 Win: 0x43E0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1538159700 223653 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 30 28 77 68 65 65 6C 29 20 67 72 6F 75 70 73 3D 0(wheel) groups= 30 28 77 68 65 65 6C 29 2C 20 32 28 6B 6D 65 6D 0(wheel), 2(kmem 29 2C 20 33 28 73 79 73 29 2C 20 34 28 74 74 79 ), 3(sys), 4(tty 29 2C 20 35 28 6F 70 65 72 61 74 6F 72 29 2C 20 ), 5(operator), 32 30 28 73 74 61 66 66 29 2C 20 33 31 28 67 75 20(staff), 31(gu 65 73 74 29 0A est). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Besides the always so wonderful "id check returned root" sig, here a couple of other simple sigs I think may be useful in this case: alert tcp any 22 -> any any \ (msg: "Response from successful GOBBLES OpenSSH exploit"; \ content: "*GOBBLE*"; depth: 8; flags: A+;) alert tcp any any -> any 22 \ (msg: "Possible *SSH exploit, uname in packet"; \ content: "uname"; depth: 50; flags: A+;) Anyone could obviously change these strings in the exploit. But still, it again shows that watching for misc cleartext strings in encrypted channels can sometimes actually be useful... The exploit patch also sets the protocol identification string to "SSH-2.0-GOBBLES", which can be catched using this rule: alert tcp any any -> any any 22 \ (msg: "SSH-2.0-GOBBLES identification string, possible OpenSSH exploit follows"; \ content: "SSH-2.0-GOBBLES"; depth: 15; flags: A+;) Of course also trivial for anyone to change, but anyway. If you're using a recent Snort 1.9 snapshot (which is able to check for dsize ranges), you can use something like this to catch some uncool SSH packets that are too small to be real: alert tcp any any <> any 22 (msg: "invalid SSH packet (too small!), possible exploit?"; \ dsize: 1<>6; flags: A+;) This was just the result of some extremely quick testing. Beware of errors. I'd be glad to hear from other people about this (and/or about the other OpenSSH exploits out there). Regards, Andreas Östling ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)
- <Possible follow-ups>
- RE: GOBBLES' OpenSSH exploit. Kevin Brown (Jul 01)
- RE: GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)