Re: Attacks against SSH?

From: Jordan K Wiens (jwiensat_private)
Date: Tue Dec 04 2001 - 09:31:28 PST

Next message: Justin Silles: "RE: Network 195.70.202.0/24 is hacker-freindly"

Previous message: Florian Weimer: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Re: Attacks against SSH?"
Next in thread: Dave Dittrich: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ver>=2.3.0 of openssh patched the vulnerability

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

Also; here's a recent sanitized targets file for the x2 executable:

-----begin targets-----
SSH-1.5-1.2.27,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0
Small - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,0
Big - SSH-1.99-OpenSSH_2.2.0p1,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXXXXXXXX,0xXX,0xXXXX,1
-----end targets-----

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Tue, 4 Dec 2001 johan.augustssonat_private wrote:

> "f.johan.beisser" wrote:
>
> > i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to
> > 3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack
> > the CRC bug in unpatched/vulnerable versions of ssh.
> >
> > the exploit is (supposedly) encrypted, stripped, and for x86 linux. the
> > binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's
> > ruffly 1.4 megs in size. i've only seen it as "x2".
>
>
> I know that the x2 binary uses a targetfile with some offsets for
> different sshd. The one I've seen omly contains offsets for SSH-1.2.27
> and OpenSSH-2.2.0p1. If this exploit really works against OpenSSH-2.9.9
> you'll need a targetfile with the offsets for OpenSSH-2.9.9.
>
>
> /Johan Augustsson
>
> --------------------------------------------------------------------
> Johan Augustsson                 Phone: +46 (0)31 773 1000
> Incident Response Team           Fax: +46 (0)31 773 1087
> Göteborg University              E-mail: Johan.Augustssonat_private
> Sweden
> --------------------------------------------------------------------
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Justin Silles: "RE: Network 195.70.202.0/24 is hacker-freindly"
Previous message: Florian Weimer: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Re: Attacks against SSH?"
Next in thread: Dave Dittrich: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 11:52:40 PST