First of all, go to openssh-3.4p1 openssh 3.2.2 is still vulnerable. Second: have you set ChallengeResponseAuthentication no UsePrivilegeSeparation yes PAMAuthenticationViaKbdInt no in the config file? On Friday 06 September 2002 20:41, Jeremy Junginger wrote: > Hello, > > I am back again, and auditing an internally accessible ssh server for > the challenge-response buffer overflow. I'll keep it brief: > > OS: RedHat Linux (6.2) > SSH Version: SSH-1.99-OpenSSH_3.1p1 > > I have already done the following: > > Downloaded and extracted openssh-3.2.2p1.tar.gz > Patched the client with ssh.diff (patch < ssh.diff) > Compiled patched client ( ./configure && make ssh) > Run the "patched" ssh (./ssh x.x.x.x) > > I am receiving the following output > ./scanssh 172.16.51.23 > [*] remote host supports ssh2 > [*] server_user: root:skey > [*] keyboard-interactive method available > [x] bsdauth (skey) not available > Permission denied (publickey,password,keyboard-interactive). > > I have not investigated any further, but don't feel comfortable calling > the service "secured" without a little peer review. Do you have any > tips on manipulating the method, style, repeats, chunk size, or > connect-back shellcode repeat? Any ideas will be greatly appreciated. > Thanks, and have a great day! > > -Jeremy -- Peter Bruderer mailto:brudy@bruderer-research.com Bruderer Research GmbH Tel ++41 52 620 26 53 IT Security Services Fax ++41 52 620 26 54 CH-8200 Schaffhausen http://www.bruderer-research.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 12:40:58 PDT