Re: SSH & Telnet

From: Alok Aggarwal (aggarwaa@private)
Date: Sat Nov 10 2001 - 10:59:00 PST

Next message: Toby Kohlenberg: "Re: SSH & Telnet Exploits"

Previous message: Kuo, Jimmy: "RE: SSH & Telnet Exploits"
In reply to: Jimmy Sadri: "SSH & Telnet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> sshd and telnet vulnerabilites that where published on securityfocus 

Just talking of the sshd vulnerabilities, a number of them have been published 
on bugtraq over the last couple of months. 

> a few weeks ago.  I'm wondering if people have seen examples of exploit
> code especially for the SSH attack. 

Some of the notable vulnerabilities I can think of are:

. The authorized_keys vulnerability -
	http://www.securityfocus.com/archive/1/216702
  No exploit code needed to attack this vulnerability, the attacker has to be
  bonafide user on the internal network. Only some versions of OpenSSH and
  derivatives of OpenSSH are affected. Since most commercial Linux distros ship
  with OpenSSH, they are affected and thus there have been separate advisories
  from all of them for the same vulnerability. 

. Passive Traffic Analysis vulnerability -
	http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
  The website has exploit *tools* as well. I think OpenSSH versions < 2.5.x are
  affected, don't know about the SSH Inc version.

. Keystroke timing attacks - This is similar to traffic analysis vulnerability
  but not the same. It's based on work done by David Wagner and Dawn Song. The
  paper is at http://www.cs.berkeley.edu/~daw/papers/ssh-use01.pdf. I believe
  there is a tool out there that implements this vulnerability. Most versions
  of OpenSSH and SSH Inc affected. IMO this vulnerability affects any
  interactive VPN or IPSEC sessions including SSL secured telnet.

. CRC32 vulnerabilty - Haven't seen an exploit code for this although Univ. of
  Washington computers seem to have been hacked lately using this
  vulnerability. The thing to note here is that, this vulnerability affects
  people running SSH protocol version 1, which is inherently insecure anyway
  and is deprecated. Only SSH protocol version 2 should be enabled.

There is has also been a vulnerability in some version of SSH Inc version, can't
remember which. The basic idea was that if a user used PAM (pluggable
authentication module) as the authentication method, then the sshd would let
him in with an empty password .. classic coding error by one of the SSH Inc
developers where all instances of str* functions were blindly replaced by strn*
calls.

> It seemed to apply to a great number of versions of SSH.  

See above.

Hope this helps.
-Alok

Next message: Toby Kohlenberg: "Re: SSH & Telnet Exploits"
Previous message: Kuo, Jimmy: "RE: SSH & Telnet Exploits"
In reply to: Jimmy Sadri: "SSH & Telnet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:31:15 PDT