Vulnerability Development mailing list archives
Re: SSH2 Exploit?
From: H D Moore <hdm () digitaloffense net>
Date: Thu, 7 Mar 2002 08:22:30 -0600
Heh, no problem. I have heard of some specific exploits for ssh2 commercial, having to do with flooding the server with SSH2_MSG packets during the SSH session. Nothing solid yet, I tested against openssh and was only able to DoS. On Thursday 07 March 2002 08:15 am, Ron DuFresne wrote:
Mr. Moore, Thanks for the binaries. I'd gotten a copy earlier from another rouce also to campare these with. but, I'm suspecting they will come out similiar. I realise I was a bit over-zealous in my statements that there was not a working exploit for ssh1 protocol, and after sending that response off looked over my ssh related library of facts, or announcements from the various mailing lists discovering Dave Dittrich's analysis of the crc32 exploit from awhile back. So, my statements were of course over-broad, but, fit the purpose still in trying to identify if a new exploit was actually circulating that exploited ssh2 as some had been suggesting. Thus far I have been unable to ferrit out any such claims with actual evidence such as logs showing something trying or actually committing such an exploit on ssh2, or source or binaries for such an exploit. So, I stand corrected unless one reads me below without regard to ssh2 <grin>. Still, if folks are aware of this, and disable the fallback to ssh1 from their ssh2 deamons, exploiting of the deamon is not possible. This should be a compeling reason for folks to move to the newer ssh2 protocol, but, we all know how long it takes for such matters to evolve once a tool like ssh1 becomes entrenched over a large number of systems. Sorry for the confusion to those that read me and took my mis-statements as total fact. of course, if I am in error here and there is an exploit for ssh2 also circulating, then please correct me and update Mr. Cimpoesu to avoid his being misadvised by my statements here. Again, thanks much, Ron DuFresne On Thu, 7 Mar 2002, H D Moore wrote:This is a ssh1 crc32 auto-rooter, courtesy of incident response: http://www.digitaloffense.net/autossh.tgz You have 24 hours to grab a copy before I remove it. I have not checked the contained binaries for trojans or virii yet, so please dont run them unless you verify them yourself. An auto-rooter would not be created if the exploit it used (x2) doesn't work... On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote:There's nothing here that actually suggests the systems were compromised via sshd, neither sshd1 nor sshd2. Nor is there an actual accounting of what other services were open for possible exploit on the systems in question. Nothing about the kernels chosen and possible problems there, nor if the systems were acutally remotely exploited of if <as is much more possible> that an internal user on the systems actually rooted the systems. I have seen code to scan for sshd1, seen the traces in my logs, and there have been hints of possible sshd1 exploit code ciculating for awhile now, with no real evicdence presented there is such an exploit in use that works remotely. Those exploits of sshd1 that have been suggested are far above the needs and skills of simple skript-kiddies though. SSHD2 that I've seen vulnerabilites mentioned for though are those that include sshd1 support, so, if there is real evidence of an sshd2 remote exploit or even a remote sshd1 exploit in acutal use, then, I'd certainly like to see the code or binaries in question. Otherwie, we only have rumrrs of such and most likely have systems hacked via other vectors that are used to scan for possibly exploitable sshd's, and these scans are possibly placed for scare tactics or diversion from the real purpose of the rooting that has taken place. Thanks, Ron DuFresne~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Re: SSH2 Exploit? Ron DuFresne (Mar 04)
- Re: SSH2 Exploit? Jon Zobrist (Mar 05)
- Re: SSH2 Exploit? H D Moore (Mar 07)
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
- <Possible follow-ups>
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
- Re: SSH2 Exploit? H D Moore (Mar 07)
- Re: SSH2 Exploit? H D Moore (Mar 08)
- Re: SSH2 Exploit? Ron DuFresne (Mar 07)
- Re: SSH2 Exploit? Teodor Cimpoesu (Mar 07)
- Re: SSH2 Exploit? Dan Hanson (Mar 08)
- Re: SSH2 Exploit? Steve Wright (Mar 08)