Re: Attacks against SSH?

From: f.johan.beisser (janat_private)
Date: Mon Dec 03 2001 - 11:09:03 PST

Next message: Armando B. Ortiz: "Re: Attacks against SSH?"

Previous message: Aaron Schultz: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Attacks against SSH?"
Next in thread: johan.augustssonat_private: "Re: Attacks against SSH?"
Next in thread: Armando B. Ortiz: "Re: Attacks against SSH?"
Reply: johan.augustssonat_private: "Re: Attacks against SSH?"
Reply: Dave Dittrich: "Re: Attacks against SSH?"
Reply: Jason Robertson: "Re: Attacks against SSH?"
Reply: Florian Weimer: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 3 Dec 2001 johan.augustssonat_private wrote:

>
> I stumbeled over this post at openssh-unix-dev mailinglist last week -
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
> The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
> RedHat 7.0) up and running when he received what looks to be a
> CRC32-attack. A few minutes later you can see (he posted parts of the
> logfile) a new user being created with uid=0 and then how an connection
> is made from system in Israel.
>
> There has been no confirmation about what he writes but I recieved the
> following mail as an answer of my questions.

[ text cut out]

> So, to he main question.
> Has anyone else had a system compromised by the CRC32-attack when
> running a version of sshd that is believed to be secure? OpenSSH-2.3.0
> or later, SSH 1.2.32 or later.

i've seen quite a few attempts against sshd in the last few days, since
rumours of a "new OpenSSH exploit" started wandering around.

the thread can be found here:

http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1

it's a tad bit short on technical details.. but, to summerise:

	1. There is still no proven exploit against OpenSSH 2.3
	   and newer (that i've seen).

	2. there has been a rise in attacks on ssh daemons in the
	   last week.

i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to
3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack
the CRC bug in unpatched/vulnerable versions of ssh.

the exploit is (supposedly) encrypted, stripped, and for x86 linux. the
binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
ruffly 1.4 megs in size. i've only seen it as "x2".


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      janat_private
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Armando B. Ortiz: "Re: Attacks against SSH?"
Previous message: Aaron Schultz: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Attacks against SSH?"
Next in thread: johan.augustssonat_private: "Re: Attacks against SSH?"
Next in thread: Armando B. Ortiz: "Re: Attacks against SSH?"
Reply: johan.augustssonat_private: "Re: Attacks against SSH?"
Reply: Dave Dittrich: "Re: Attacks against SSH?"
Reply: Jason Robertson: "Re: Attacks against SSH?"
Reply: Florian Weimer: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:43:55 PST