Ahh, yes, I'm guessing some of the claims to the list might be based on the rumors of such an exploit exisiting, but without evidence we can only count them as rumors. I've shared the earlier binaiers on the ssh1 crc32 code with the folks at ssh.com and nrf.com as they had requested of me in private should I get any code, and will do so with you also should I fishout any exploit code for ssh2 explicitly. I'd love to see the ssh2_msg stuff you'd been testing. A DOS does not worry me and might not really worry many others as much as a remote root. Yet, I have taken a stance of not fully doing an any any on port 22 in recent times, more due to scans and the triggers set off by them in the IDS' in use on my systems. Fred Avolio recently sent out his semi-monthly newsletter suggesting just that for many protocols. I've also taken to allowing out from my systems far less any any protocols just due to the trojan overload the desktop users have to deal with on the windows palatform these days. Good advise for us all to pass onto others I think. Thanks, Ron DuFresne On Thu, 7 Mar 2002, H D Moore wrote: > Heh, no problem. I have heard of some specific exploits for ssh2 commercial, > having to do with flooding the server with SSH2_MSG packets during the SSH > session. Nothing solid yet, I tested against openssh and was only able to DoS. > > On Thursday 07 March 2002 08:15 am, Ron DuFresne wrote: > > Mr. Moore, > > > > Thanks for the binaries. I'd gotten a copy earlier from another rouce > > also to campare these with. but, I'm suspecting they will come out > > similiar. I realise I was a bit over-zealous in my statements that there > > was not a working exploit for ssh1 protocol, and after sending that > > response off looked over my ssh related library of facts, or announcements > > from the various mailing lists discovering Dave Dittrich's analysis of the > > crc32 exploit from awhile back. So, my statements were of course > > over-broad, but, fit the purpose still in trying to identify if a > > new exploit was actually circulating that exploited ssh2 as some had > > been suggesting. Thus far I have been unable to ferrit out any such > > claims with actual evidence such as logs showing something trying or > > actually committing such an exploit on ssh2, or source or binaries > > for such an exploit. So, I stand corrected unless one reads me > > below without regard to ssh2 <grin>. Still, if folks are aware of this, > > and disable the fallback to ssh1 from their ssh2 deamons, exploiting of > > the deamon is not possible. This should be a compeling reason for folks > > to move to the newer ssh2 protocol, but, we all know how long it takes > > for such matters to evolve once a tool like ssh1 becomes entrenched over > > a large number of systems. Sorry for the confusion to those that read me > > and took my mis-statements as total fact. of course, if I am in error > > here and there is an exploit for ssh2 also circulating, then please > > correct me and update Mr. Cimpoesu to avoid his being misadvised by my > > statements here. > > > > Again, thanks much, > > > > Ron DuFresne > > > > On Thu, 7 Mar 2002, H D Moore wrote: > > > This is a ssh1 crc32 auto-rooter, courtesy of incident response: > > > > > > http://www.digitaloffense.net/autossh.tgz > > > > > > You have 24 hours to grab a copy before I remove it. I have not checked > > > the contained binaries for trojans or virii yet, so please dont run them > > > unless you verify them yourself. An auto-rooter would not be created if > > > the exploit it used (x2) doesn't work... > > > > > > On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote: > > > > There's nothing here that actually suggests the systems were > > > > compromised via sshd, neither sshd1 nor sshd2. Nor is there an actual > > > > accounting of what other services were open for possible exploit on the > > > > systems in question. Nothing about the kernels chosen and possible > > > > problems there, nor if the systems were acutally remotely exploited of > > > > if <as is much more possible> that an internal user on the systems > > > > actually rooted the systems. I have seen code to scan for sshd1, seen > > > > the traces in my logs, and there have been hints of possible sshd1 > > > > exploit code ciculating for awhile now, with no real evicdence > > > > presented there is such an exploit in use that works remotely. Those > > > > exploits of sshd1 that have been suggested are far above the needs and > > > > skills of simple skript-kiddies though. SSHD2 that I've seen > > > > vulnerabilites mentioned for though are those that include sshd1 > > > > support, so, if there is real evidence of an sshd2 remote exploit or > > > > even a remote sshd1 exploit in acutal use, then, I'd certainly like to > > > > see the code or binaries in question. Otherwie, we only have rumrrs of > > > > such and most likely have systems hacked via other vectors that are > > > > used to scan for possibly exploitable sshd's, and these scans are > > > > possibly placed for scare tactics or diversion from the real purpose of > > > > the rooting that has taken place. > > > > > > > > Thanks, > > > > > > > > Ron DuFresne > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 11:16:03 PST