> sshd and telnet vulnerabilites that where published on securityfocus Just talking of the sshd vulnerabilities, a number of them have been published on bugtraq over the last couple of months. > a few weeks ago. I'm wondering if people have seen examples of exploit > code especially for the SSH attack. Some of the notable vulnerabilities I can think of are: . The authorized_keys vulnerability - http://www.securityfocus.com/archive/1/216702 No exploit code needed to attack this vulnerability, the attacker has to be bonafide user on the internal network. Only some versions of OpenSSH and derivatives of OpenSSH are affected. Since most commercial Linux distros ship with OpenSSH, they are affected and thus there have been separate advisories from all of them for the same vulnerability. . Passive Traffic Analysis vulnerability - http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt The website has exploit *tools* as well. I think OpenSSH versions < 2.5.x are affected, don't know about the SSH Inc version. . Keystroke timing attacks - This is similar to traffic analysis vulnerability but not the same. It's based on work done by David Wagner and Dawn Song. The paper is at http://www.cs.berkeley.edu/~daw/papers/ssh-use01.pdf. I believe there is a tool out there that implements this vulnerability. Most versions of OpenSSH and SSH Inc affected. IMO this vulnerability affects any interactive VPN or IPSEC sessions including SSL secured telnet. . CRC32 vulnerabilty - Haven't seen an exploit code for this although Univ. of Washington computers seem to have been hacked lately using this vulnerability. The thing to note here is that, this vulnerability affects people running SSH protocol version 1, which is inherently insecure anyway and is deprecated. Only SSH protocol version 2 should be enabled. There is has also been a vulnerability in some version of SSH Inc version, can't remember which. The basic idea was that if a user used PAM (pluggable authentication module) as the authentication method, then the sshd would let him in with an empty password .. classic coding error by one of the SSH Inc developers where all instances of str* functions were blindly replaced by strn* calls. > It seemed to apply to a great number of versions of SSH. See above. Hope this helps. -Alok
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:31:15 PDT