Snort mailing list archives

GOBBLES' OpenSSH exploit.

From: Andreas Östling <andreaso () it su se>
Date: Mon, 1 Jul 2002 23:20:08 +0200 (CEST)

Hello,

I guess most people have seen the OpenSSH exploit that GOBBLES
just published ("sshutuptheo"). It obviously works very well (no, I didn't
care to check it for backdoors and I'm doing this on offline machines :) )

[foo@192.168.1.3 openssh-3.4p1]$ nc 192.168.1.1 22
SSH-1.99-OpenSSH_3.2

(./ssh is modified with GOBBLES' patch)

[foo@192.168.1.3 openssh-3.4p1]$ ./ssh -l root 192.168.1.1
[*] remote host supports ssh2
[*] server_user: root:skey
[*] keyboard-interactive method available
[*] chunk_size: 4096 tcode_rep: 0 scode_rep 60
[*] mode: exploitation
*GOBBLE*
OpenBSD openbsd 3.1 GENERIC#59 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)


It seems impossible (or at least hard?) to catch the actual exploit using
only content matching. However, this particular exploit (at least in its
default mode), when successful, opens up a cleartext channel. The string
"*GOBBLE*" will be echoed back to the attacker who then sends the
"uname -a;id" string.

The last part of a successful exploit as seen by snort:

...

07/01-19:38:58.480950 192.168.1.3:32801 -> 192.168.1.1:22
TCP TTL:64 TOS:0x0 ID:3033 IpLen:20 DgmLen:828 DF
***AP*** Seq: 0xC8ADB1BB  Ack: 0xAA607671  Win: 0x2280  TcpLen: 32
TCP Options (3) => NOP NOP TS: 223646 1538159700
DC 49 E9 33 60 E1 DD CD FF 14 E4 72 36 43 55 B7  .I.3`......r6CU.
61 BD B9 BA CE 82 53 F6 D1 A1 5E A0 1E 98 3B 47  a.....S...^...;G
F8 99 98 BB 39 9C 78 4F 23 FA A7 E1 0D C2 A5 69  ....9.xO#......i
27 2A 48 1C DC F3 CA 88 22 37 0C E4 B3 91 05 AA  '*H....."7......
E6 AC 52 87 DF 45 16 62 8E 3A 60 8D B9 BC F8 36  ..R..E.b.:`....6
38 39 FE 47 AD D9 1C 86 CF 5B 8E F5 37 DB 08 B8  89.G.....[..7...
75 E9 99 EB 49 37 85 3F 66 76 61 24 E3 FB A6 55  u...I7.?fva$...U
67 96 49 76 9E B2 D8 7B D5 BC AA AC 3F 48 72 79  g.Iv...{....?Hry
96 59 F5 20 C9 1C 26 9F 0E AE 3D 70 58 95 AA 28  .Y. ..&...=pX..(
9B 83 E6 27 30 FB BC 12 FF 52 44 66 B2 15 19 45  ...'0....RDf...E
80 C9 48 AE D9 CA 50 73 FA 06 5F 3A 51 5E 4C E2  ..H...Ps.._:Q^L.
4B DB 38 4E 42 80 E0 01 2E C9 05 CD 6B DE F7 ED  K.8NB.......k...
F9 54 9F BC 87 45 C1 61 D4 EE CA A5 E1 55 B3 7E  .T...E.a.....U.~
D0 E6 E9 C9 37 7B 68 3C A6 CA CF 3C 39 F7 E9 9E  ....7{h<...<9...
99 2D E4 DA F7 73 55 E1 71 C4 90 FF 2B 60 8A E7  .-...sU.q...+`..
01 5A 58 40 E5 C1 A3 31 1F 97 CA 8C 97 36 B5 7F  .ZX@...1.....6..
C6 BC 6A 20 52 C9 64 6B 8A 83 73 03 27 AC 90 F1  ..j R.dk..s.'...
82 E6 B1 17 2E 5D 2E 39 10 59 F4 2F 62 5B 38 1F  .....].9.Y./b[8.
D3 78 10 D8 D0 F5 B7 6F 21 BF 69 FE 35 C5 0E 5D  .x.....o!.i.5..]
8D 64 75 B3 6F 3B 5C F7 3D 69 DB 41 65 15 C1 48  .du.o;\.=i.Ae..H
70 EB F1 68 AB 2F 5F 95 40 92 C8 CC 26 BA A2 CC  p..h./_.@...&...
A8 D2 DD 54 85 69 11 47 9E 20 AC 68 BD 7A DE 87  ...T.i.G. .h.z..
14 FA 5F 12 01 8F 2F D2 58 6B 3B 72 1B 0F 8B 50  .._.../.Xk;r...P
EB F5 D3 68 40 7C F6 25 D0 69 9B 91 7A 18 ED 74  ...h@|.%.i..z..t
38 B7 30 32 65 07 29 8A E6 77 01 B1 DF AC B0 2D  8.02e.)..w.....-
63 37 F3 1F 3E 76 54 84 64 AA D2 B6 B9 1D 06 AF  c7..>vT.d.......
1E 56 E0 65 80 DE F3 F2 BC 91 41 B9 7B 3A 14 88  .V.e......A.{:..
9B BD 7F B0 32 E7 9F 97 9D D0 7C 9C DE 92 92 C7  ....2.....|.....
30 8A A1 52 C4 05 12 15 6F F5 08 99 C0 61 A4 91  0..R....o....a..
C0 A9 C6 0B 61 CD 0E 3B 4A AB C1 A8 03 21 29 C5  ....a..;J....!).
D3 18 7B 03 BD 21 9B 44 E9 B8 71 73 73 78 AC EC  ..{..!.D..qssx..
97 5F 97 59 20 7F C0 68 7F 50 F0 60 B2 4F 72 A1  ._.Y ..h.P.`.Or.
EB 74 DF 2A 67 BE 11 E7 4D 6A 9E 6D FB 4C 48 E8  .t.*g...Mj.m.LH.
00 AC 9F AD A4 8A 6B 54 D4 5D 96 19 F5 81 99 55  ......kT.].....U
9B 82 81 6C EF BF FD BD 60 4D 45 1F 9F 4D 7E 3A  ...l....`ME..M~:
2B F9 EB BE 4F BB C2 EA 96 D6 9B 01 7E 0F 76 81  +...O.......~.v.
08 05 9B 4F 70 00 93 23 39 16 77 43 F6 D7 00 6C  ...Op..#9.wC...l
65 86 E8 23 BC 97 3A B8 9B 1D 49 BA 07 07 F2 9D  e..#..:...I.....
6D 56 F4 08 E4 B3 7B 44 8E 10 43 C5 0B CA 37 A8  mV....{D..C...7.
7D FA E9 57 96 0D 0A EF 21 DD 21 40 45 FE 7B 01  }..W....!.!@E.{.
F7 FF 3D BE 1F AF DF B4 28 89 2B D6 B2 A8 D1 BB  ..=.....(.+.....
BD 23 62 4F FF 1E 0B BB 4E 45 86 C5 9C 5D 56 CE  .#bO....NE...]V.
FC 57 84 17 DD 9A B0 BE AE 4B 3D BB EA 14 AF 59  .W.......K=....Y
0F 5D DD 7C 03 BA 6C 7D F7 A7 E9 59 35 98 EF A2  .].|..l}...Y5...
F5 D2 D6 8D 3F B0 77 E3 AB 5E 6B 34 E1 26 44 E3  ....?.w..^k4.&D.
0A CD 59 B0 F6 57 94 C2 B1 BB 26 1A 3E 5F 97 1D  ..Y..W....&.>_..
F2 14 3C FC 69 14 28 19 77 BA 67 4D 7B E6 1A 7F  ..<.i.(.w.gM{...
2F FD F4 2C 94 70 EE 53 07 66 D4 FA 98 1C C4 6D  /..,.p.S.f.....m
7A CB 77 50 91 05 EA 6F                          z.wP...o

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.481304 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:61807 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAA607671  Ack: 0xC8ADA0C3  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223646

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.481586 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:34035 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAA607671  Ack: 0xC8ADAC13  Win: 0x21F0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223646

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.481780 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:37374 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAA607671  Ack: 0xC8ADB4C3  Win: 0x1940  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223646

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.482805 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:57417 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAA607671  Ack: 0xC8ADB4C3  Win: 0x42A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223646

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.498197 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:60287 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0xAA607671  Ack: 0xC8ADB4C3  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223646
47 47 47 47                                      GGGG

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.498297 192.168.1.3:32801 -> 192.168.1.1:22
TCP TTL:64 TOS:0x0 ID:3034 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0xC8ADB4C3  Ack: 0xAA607675  Win: 0x2280  TcpLen: 32
TCP Options (3) => NOP NOP TS: 223647 1538159700
4F                                               O

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.498731 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:43879 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0xAA607675  Ack: 0xC8ADB4C4  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223647
2A 47 4F 42 42 4C 45 2A 0A                       *GOBBLE*.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.498773 192.168.1.3:32801 -> 192.168.1.1:22
TCP TTL:64 TOS:0x0 ID:3035 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0xC8ADB4C4  Ack: 0xAA60767E  Win: 0x2280  TcpLen: 32
TCP Options (3) => NOP NOP TS: 223648 1538159700
75 6E 61 6D 65 20 2D 61 3B 69 64 0A              uname -a;id.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.516744 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:61830 IpLen:20 DgmLen:88 DF
***AP*** Seq: 0xAA60767E  Ack: 0xC8ADB4D0  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223648
4F 70 65 6E 42 53 44 20 6F 70 65 6E 62 73 64 20  OpenBSD openbsd
33 2E 31 20 47 45 4E 45 52 49 43 23 35 39 20 69  3.1 GENERIC#59 i
33 38 36 0A                                      386.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.548545 192.168.1.3:32801 -> 192.168.1.1:22
TCP TTL:64 TOS:0x0 ID:3036 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xC8ADB4D0  Ack: 0xAA6076A2  Win: 0x2280  TcpLen: 32
TCP Options (3) => NOP NOP TS: 223653 1538159700

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-19:38:58.549010 192.168.1.1:22 -> 192.168.1.3:32801
TCP TTL:64 TOS:0x0 ID:51141 IpLen:20 DgmLen:153 DF
***AP*** Seq: 0xAA6076A2  Ack: 0xC8ADB4D0  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1538159700 223653
75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D  uid=0(root) gid=
30 28 77 68 65 65 6C 29 20 67 72 6F 75 70 73 3D  0(wheel) groups=
30 28 77 68 65 65 6C 29 2C 20 32 28 6B 6D 65 6D  0(wheel), 2(kmem
29 2C 20 33 28 73 79 73 29 2C 20 34 28 74 74 79  ), 3(sys), 4(tty
29 2C 20 35 28 6F 70 65 72 61 74 6F 72 29 2C 20  ), 5(operator),
32 30 28 73 74 61 66 66 29 2C 20 33 31 28 67 75  20(staff), 31(gu
65 73 74 29 0A                                   est).

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Besides the always so wonderful "id check returned root" sig, here a
couple of other simple sigs I think may be useful in this case:

alert tcp any 22 -> any any \
(msg: "Response from successful GOBBLES OpenSSH exploit"; \
content: "*GOBBLE*"; depth: 8; flags: A+;)

alert tcp any any -> any 22 \
(msg: "Possible *SSH exploit, uname in packet"; \
content: "uname"; depth: 50; flags: A+;)

Anyone could obviously change these strings in the exploit. But still, it
again shows that watching for misc cleartext strings in encrypted channels
can sometimes actually be useful...

The exploit patch also sets the protocol identification string to
"SSH-2.0-GOBBLES", which can be catched using this rule:

alert tcp any any -> any any 22 \
(msg: "SSH-2.0-GOBBLES identification string, possible OpenSSH exploit follows"; \
content: "SSH-2.0-GOBBLES"; depth: 15; flags: A+;)


Of course also trivial for anyone to change, but anyway.

If you're using a recent Snort 1.9 snapshot (which is able to check for
dsize ranges), you can use something like this to catch some uncool SSH
packets that are too small to be real:

alert tcp any any <> any 22 (msg: "invalid SSH packet (too small!), possible exploit?"; \
dsize: 1<>6; flags: A+;)


This was just the result of some extremely quick testing. Beware of
errors. I'd be glad to hear from other people about this (and/or about the
other OpenSSH exploits out there).


Regards,
Andreas Östling



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)
- <Possible follow-ups>
- RE: GOBBLES' OpenSSH exploit. Kevin Brown (Jul 01)
  - RE: GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)