http://www.newsbytes.com/news/01/171291.html By Brian McWilliams, Newsbytes HOUSTON, TEXAS, U.S.A., 18 Oct 2001, 4:34 PM CST A new hacking tool is being actively used by attackers hoping to take remote control of unpatched Unix-based systems, security experts warned today. The tool appears to exploit a known bug in a popular authentication technology called Secure Shell (SSH), according to Simple Nomad, senior security analyst with Bindview Corporation. The security firm's RAZOR team, a research and development group, discovered the flaw in the SSH daemon, which it dubbed the crc32 vulnerability, last winter. In its February advisory, Bindview stated that it was aware of no working exploits for the overflow flaw in the SSH daemon. But last week, rumors spread in the hacker underground that scripts were available to gain "root" or system-level access to vulnerable systems. And in recent days, system operators have posted reports on security mailing lists saying they are receiving remote scans from attackers attempting to locate vulnerable systems running SSH. According to Roelof Temmingh, technical director for SensePost, an information security consulting firm, several versions of the SSH attack scripts have been available over Internet relay chat and other online forums for approximately one week. SSH is a technology developed by SSH Communications Security that enables users to securely log into a remote system and move files. The protocol is included with several Unix-based commercial operating systems including Sun Solaris, IBM AIX, and HP-UX. A free version of the protocol, known as OpenSSH, is integrated into many open-source Unix-based operating systems, including versions of Linux and BSD. While the attack tools exploit a relatively old bug for which patches were issued months ago, Temmingh reports that one individual was asking for unspecified financial compensation for sharing the script - a development which he views as ominous. "At $1000 an exploit, who are you going to attract? People that will pay that amount of money must surely be in a situation that will make it worth their while," said Temmingh. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 13:25:22 PDT