Re: Attacks against SSH?

From: f.johan.beisser (janat_private)
Date: Mon Dec 03 2001 - 11:09:03 PST

  • Next message: Armando B. Ortiz: "Re: Attacks against SSH?"

    On Mon, 3 Dec 2001 johan.augustssonat_private wrote:
    
    >
    > I stumbeled over this post at openssh-unix-dev mailinglist last week -
    > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
    > The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
    > RedHat 7.0) up and running when he received what looks to be a
    > CRC32-attack. A few minutes later you can see (he posted parts of the
    > logfile) a new user being created with uid=0 and then how an connection
    > is made from system in Israel.
    >
    > There has been no confirmation about what he writes but I recieved the
    > following mail as an answer of my questions.
    
    [ text cut out]
    
    > So, to he main question.
    > Has anyone else had a system compromised by the CRC32-attack when
    > running a version of sshd that is believed to be secure? OpenSSH-2.3.0
    > or later, SSH 1.2.32 or later.
    
    i've seen quite a few attempts against sshd in the last few days, since
    rumours of a "new OpenSSH exploit" started wandering around.
    
    the thread can be found here:
    
    http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1
    
    it's a tad bit short on technical details.. but, to summerise:
    
    	1. There is still no proven exploit against OpenSSH 2.3
    	   and newer (that i've seen).
    
    	2. there has been a rise in attacks on ssh daemons in the
    	   last week.
    
    i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to
    3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack
    the CRC bug in unpatched/vulnerable versions of ssh.
    
    the exploit is (supposedly) encrypted, stripped, and for x86 linux. the
    binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
    ruffly 1.4 megs in size. i've only seen it as "x2".
    
    
    -------/ f. johan beisser /--------------------------------------+
      http://caustic.org/~jan                      janat_private
        "John Ashcroft is really just the reanimated corpse
             of J. Edgar Hoover." -- Tim Triche
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:43:55 PST