> i've seen quite a few attempts against sshd in the last few days, > since rumours of a "new OpenSSH exploit" started wandering around. This is not a rumor. > the thread can be found here: > > http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1 > > it's a tad bit short on technical details.. but, to summerise: > > 1. There is still no proven exploit against OpenSSH 2.3 > and newer (that i've seen). > > 2. there has been a rise in attacks on ssh daemons in the > last week. I would concur with both points. Word has not been getting around fast enough, so there are still many vulnerable systems out there being exploited. See Niels Provos' post to BUGTRAQ with graphs showing this, and a tool for scanning your network: http://www.citi.umich.edu/u/provos/ssh/ > i tested out a binary exploit that "supposedly" worked on OpenSSH > 2.3 to 3.0 (but not 3.0.1p1), and had it fail each time. it > aparently does attack the CRC bug in unpatched/vulnerable versions > of ssh. ...same here. > the exploit is (supposedly) encrypted, stripped, and for x86 linux. Not supposedly, or stripped (to be precise), but the x86 Linux part is for sure. Put it this way; you won't find anything by just running "strings". ;) This binary has been found in several places around the world over the past two weeks, in one case part of a rootkit including the Adore LKM and Universal rootkit for SUSE Linux w/default 0xff XORed config file (K2 - you owe me ANOTHER beer;) For more on how to "decrypt" this config file ("uconf.inv"), see the Honeynet Project's Scan of the Month #16 at: http://project.honeynet.org/scans/scan16/ (If they figure out how to modify the source, you'll have to write a simple Perl script to try 0x00 through 0xfe to make it readable, or follow the methods used in the winning Scan of the Month entry.) This exploit is indeed a different crc32 exploit than the one I analyzed a couple weeks ago, but it affects the same set of systems as the one I analyzed. For those who haven't seen it, the analysis includes examples and a script for scanning your network to identify *potentially* vulnerable systems (you need to check the version of your protocol 1 fallback server separately, if you allow fallback): http://staff.washington.edu/dittrich/misc/ssh-analysis.txt This exploit behaves slightly differently in that it gives a root shell directly (after first returning the output of the "hostname", "uname -a", and "id" commands). > the > binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's > ruffly 1.4 megs in size. i've only seen it as "x2". By the way. Thanks very much for including an MD5 hash. That helps a great deal in determining if something is new/old/changed. I've also seen it named "x1" (but its the same binary - Thanks David.) -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 09:09:54 PST