Re: Analysis of SSH crc32 compensation attack detector exploit

From: Dave Dittrich (dittrichat_private)
Date: Fri Nov 09 2001 - 13:03:34 PST

Next message: Yuri Demchenko: "Re: Need Incident Handling Process Framework"

Previous message: Becky Bace: "RE: Network and Incident Symbology: Comments Wanted"
In reply to: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
Next in thread: Dave Dittrich: "Re: Analysis of SSH crc32 compensation attack detector exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Errata.

It was pointed out to me that I forgot to include the README in
Appendix B.  I also left out one other comment as well.

> The most recent version of this file can be found at:
>
> 	http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

The missing pieces are:

 . . .

(Re: Scanning)

[NOTE: You are not necessarily vulnerable just because the banner
shows a version string that is listed as "affected".  If the patches
listed in the RAZOR advisory, e.g., are applied, or if you eliminate
v1 and use v2 of the protocol exclusively, the server will not be
vulnerable.]

 . . .

Appendix B
==========

The following is a README file that is accompanying one version
of the SSH crc32 exploit:

---

sh exploit demystified: info supplied by XXXXXXXXXXXXXXXXXXXXXXXXXXXX
1. rename the exploit to filename: ssh
2. type:export blah=loser
3. Once u figured out the syntax, this is how the exploit works

First stage is the brute force, if it quits while brute forcing and says
stack not found means the ssh is not vunerable
Note:This takes ages, if it brute forces for anything more than 45min >
i suggest you cancel it
Second stage:
If brute force is successful it will mvoe on to the second stage
it will try some values

if the exploit shows this:
and freezes on the dots, it means your in business

exploiting...

DO NOT CLOSE THE EXPLOIT
Instead open another term and telnet to the hosts port 12345 for a
bindshell remeber to append commands with ; eg: ls;



If it tries all the values and fails, then u're outta business and it
should drop u back to shell

EOF
p.s:from my experience i have found the openssh 1.5 to be utter shit in
exploiting, the ssh 1.2.6-1.2.30 has a higher chance of success rate
Last words:This exploit only works maybe 2/10 times so be patient.

---

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Yuri Demchenko: "Re: Need Incident Handling Process Framework"
Previous message: Becky Bace: "RE: Network and Incident Symbology: Comments Wanted"
In reply to: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
Next in thread: Dave Dittrich: "Re: Analysis of SSH crc32 compensation attack detector exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 13:13:06 PST