Re: SSH2 Exploit?

[Ron DuFresne <dufresne () winternet com>]

Mr. Moore,

Thanks for the binaries.  I'd gotten a copy earlier from another rouce
also to campare these with. but, I'm suspecting they will come out
similiar.  I realise I was a bit over-zealous in my statements that there
was not a working exploit for ssh1 protocol, and after sending that
response off looked over my ssh related library of facts, or announcements
from the various mailing lists discovering Dave Dittrich's analysis of the
crc32 exploit from awhile back.  So, my statements were of course
over-broad, but, fit the purpose still in trying to identify if a
new exploit was actually circulating that exploited ssh2 as some had
been suggesting.  Thus far I have been unable to ferrit out any such
claims with actual evidence such as logs showing something trying or
actually committing such an exploit on ssh2, or source or binaries
for such an exploit.  So, I stand corrected unless one reads me
below without regard to ssh2 <grin>.  Still, if folks are aware of this,
and disable the fallback to ssh1 from their ssh2 deamons, exploiting of
the deamon is not possible.  This should be a compeling reason for folks
to move to the newer ssh2 protocol, but, we all know how long it takes
for such matters to evolve once a tool like ssh1 becomes entrenched over
a large number of systems.  Sorry for the confusion to those that read me
and took my mis-statements as total fact.  of course, if I am in error
here and there is an exploit for ssh2 also circulating, then please
correct me and update Mr. Cimpoesu to avoid his being misadvised by my
statements here.

Again, thanks much,

Ron DuFresne

On Thu, 7 Mar 2002, H D Moore wrote:

> This is a ssh1 crc32 auto-rooter, courtesy of incident response:
>
> http://www.digitaloffense.net/autossh.tgz
>
> You have 24 hours to grab a copy before I remove it. I have not checked the
> contained binaries for trojans or virii yet, so please dont run them unless
> you verify them yourself. An auto-rooter would not be created if the exploit
> it used (x2) doesn't work...
>
> On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote:
> > There's nothing here that actually suggests the systems were compromised
> > via sshd, neither sshd1 nor sshd2.  Nor is there an actual accounting of
> > what other services were open for possible exploit on the systems in
> > question.  Nothing about the kernels chosen and possible problems there,
> > nor if the systems were acutally remotely exploited of if <as is much more
> > possible> that an internal user on the systems actually rooted the
> > systems.  I have seen code to scan for sshd1, seen the traces in my logs,
> > and there have been hints of possible sshd1 exploit code ciculating for
> > awhile now, with no real evicdence presented there is such an exploit in
> > use that works remotely.  Those exploits of sshd1 that have been suggested
> > are far above the needs and skills of simple skript-kiddies though.  SSHD2
> > that I've seen vulnerabilites mentioned for though are those that include
> > sshd1 support, so, if there is real evidence of an sshd2 remote exploit or
> > even a remote sshd1 exploit in acutal use, then, I'd certainly like to see
> > the code or binaries in question.  Otherwie, we only have rumrrs of such
> > and most likely have systems hacked via other vectors that are used to
> > scan for possibly exploitable sshd's, and these scans are possibly placed
> > for scare tactics or diversion from the real purpose of the rooting that
> > has taken place.
> >
> > Thanks,
> >
> > Ron DuFresne

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.