Re: SSH2 Exploit?

[H D Moore <hdm () digitaloffense net>]

Heh, no problem. I have heard of some specific exploits for ssh2 commercial, 
having to do with flooding the server with SSH2_MSG packets during the SSH 
session. Nothing solid yet, I tested against openssh and was only able to DoS.

On Thursday 07 March 2002 08:15 am, Ron DuFresne wrote:
> Mr. Moore,
>
> Thanks for the binaries.  I'd gotten a copy earlier from another rouce
> also to campare these with. but, I'm suspecting they will come out
> similiar.  I realise I was a bit over-zealous in my statements that there
> was not a working exploit for ssh1 protocol, and after sending that
> response off looked over my ssh related library of facts, or announcements
> from the various mailing lists discovering Dave Dittrich's analysis of the
> crc32 exploit from awhile back.  So, my statements were of course
> over-broad, but, fit the purpose still in trying to identify if a
> new exploit was actually circulating that exploited ssh2 as some had
> been suggesting.  Thus far I have been unable to ferrit out any such
> claims with actual evidence such as logs showing something trying or
> actually committing such an exploit on ssh2, or source or binaries
> for such an exploit.  So, I stand corrected unless one reads me
> below without regard to ssh2 <grin>.  Still, if folks are aware of this,
> and disable the fallback to ssh1 from their ssh2 deamons, exploiting of
> the deamon is not possible.  This should be a compeling reason for folks
> to move to the newer ssh2 protocol, but, we all know how long it takes
> for such matters to evolve once a tool like ssh1 becomes entrenched over
> a large number of systems.  Sorry for the confusion to those that read me
> and took my mis-statements as total fact.  of course, if I am in error
> here and there is an exploit for ssh2 also circulating, then please
> correct me and update Mr. Cimpoesu to avoid his being misadvised by my
> statements here.
>
> Again, thanks much,
>
> Ron DuFresne
>
> On Thu, 7 Mar 2002, H D Moore wrote:
> > This is a ssh1 crc32 auto-rooter, courtesy of incident response:
> >
> > http://www.digitaloffense.net/autossh.tgz
> >
> > You have 24 hours to grab a copy before I remove it. I have not checked
> > the contained binaries for trojans or virii yet, so please dont run them
> > unless you verify them yourself. An auto-rooter would not be created if
> > the exploit it used (x2) doesn't work...
> >
> > On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote:
> > > There's nothing here that actually suggests the systems were
> > > compromised via sshd, neither sshd1 nor sshd2.  Nor is there an actual
> > > accounting of what other services were open for possible exploit on the
> > > systems in question.  Nothing about the kernels chosen and possible
> > > problems there, nor if the systems were acutally remotely exploited of
> > > if <as is much more possible> that an internal user on the systems
> > > actually rooted the systems.  I have seen code to scan for sshd1, seen
> > > the traces in my logs, and there have been hints of possible sshd1
> > > exploit code ciculating for awhile now, with no real evicdence
> > > presented there is such an exploit in use that works remotely.  Those
> > > exploits of sshd1 that have been suggested are far above the needs and
> > > skills of simple skript-kiddies though.  SSHD2 that I've seen
> > > vulnerabilites mentioned for though are those that include sshd1
> > > support, so, if there is real evidence of an sshd2 remote exploit or
> > > even a remote sshd1 exploit in acutal use, then, I'd certainly like to
> > > see the code or binaries in question.  Otherwie, we only have rumrrs of
> > > such and most likely have systems hacked via other vectors that are
> > > used to scan for possibly exploitable sshd's, and these scans are
> > > possibly placed for scare tactics or diversion from the real purpose of
> > > the rooting that has taken place.
> > >
> > > Thanks,
> > >
> > > Ron DuFresne
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
>       ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.