Snort mailing list archives
RE: GOBBLES' OpenSSH exploit.
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Mon, 01 Jul 2002 14:50:44 -0700
Is this one of the vulnerabilities that is closed by upgrading to 3.4 or getting patches from the vendor (e.g. Red Hat)? -----Original Message----- From: Andreas Östling To: snort-users () lists sourceforge net Cc: snort-sigs () lists sourceforge net Sent: 7/1/02 2:20 PM Subject: [Snort-users] GOBBLES' OpenSSH exploit. Hello, I guess most people have seen the OpenSSH exploit that GOBBLES just published ("sshutuptheo"). It obviously works very well (no, I didn't care to check it for backdoors and I'm doing this on offline machines :) ) [foo@192.168.1.3 openssh-3.4p1]$ nc 192.168.1.1 22 SSH-1.99-OpenSSH_3.2 (./ssh is modified with GOBBLES' patch) [foo@192.168.1.3 openssh-3.4p1]$ ./ssh -l root 192.168.1.1 [*] remote host supports ssh2 [*] server_user: root:skey [*] keyboard-interactive method available [*] chunk_size: 4096 tcode_rep: 0 scode_rep 60 [*] mode: exploitation *GOBBLE* OpenBSD openbsd 3.1 GENERIC#59 i386 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) It seems impossible (or at least hard?) to catch the actual exploit using only content matching. However, this particular exploit (at least in its default mode), when successful, opens up a cleartext channel. The string "*GOBBLE*" will be echoed back to the attacker who then sends the "uname -a;id" string. <Snipped>
Current thread:
- GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)
- <Possible follow-ups>
- RE: GOBBLES' OpenSSH exploit. Kevin Brown (Jul 01)
- RE: GOBBLES' OpenSSH exploit. Andreas Östling (Jul 01)