Heh, no problem. I have heard of some specific exploits for ssh2 commercial, having to do with flooding the server with SSH2_MSG packets during the SSH session. Nothing solid yet, I tested against openssh and was only able to DoS. On Thursday 07 March 2002 08:15 am, Ron DuFresne wrote: > Mr. Moore, > > Thanks for the binaries. I'd gotten a copy earlier from another rouce > also to campare these with. but, I'm suspecting they will come out > similiar. I realise I was a bit over-zealous in my statements that there > was not a working exploit for ssh1 protocol, and after sending that > response off looked over my ssh related library of facts, or announcements > from the various mailing lists discovering Dave Dittrich's analysis of the > crc32 exploit from awhile back. So, my statements were of course > over-broad, but, fit the purpose still in trying to identify if a > new exploit was actually circulating that exploited ssh2 as some had > been suggesting. Thus far I have been unable to ferrit out any such > claims with actual evidence such as logs showing something trying or > actually committing such an exploit on ssh2, or source or binaries > for such an exploit. So, I stand corrected unless one reads me > below without regard to ssh2 <grin>. Still, if folks are aware of this, > and disable the fallback to ssh1 from their ssh2 deamons, exploiting of > the deamon is not possible. This should be a compeling reason for folks > to move to the newer ssh2 protocol, but, we all know how long it takes > for such matters to evolve once a tool like ssh1 becomes entrenched over > a large number of systems. Sorry for the confusion to those that read me > and took my mis-statements as total fact. of course, if I am in error > here and there is an exploit for ssh2 also circulating, then please > correct me and update Mr. Cimpoesu to avoid his being misadvised by my > statements here. > > Again, thanks much, > > Ron DuFresne > > On Thu, 7 Mar 2002, H D Moore wrote: > > This is a ssh1 crc32 auto-rooter, courtesy of incident response: > > > > http://www.digitaloffense.net/autossh.tgz > > > > You have 24 hours to grab a copy before I remove it. I have not checked > > the contained binaries for trojans or virii yet, so please dont run them > > unless you verify them yourself. An auto-rooter would not be created if > > the exploit it used (x2) doesn't work... > > > > On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote: > > > There's nothing here that actually suggests the systems were > > > compromised via sshd, neither sshd1 nor sshd2. Nor is there an actual > > > accounting of what other services were open for possible exploit on the > > > systems in question. Nothing about the kernels chosen and possible > > > problems there, nor if the systems were acutally remotely exploited of > > > if <as is much more possible> that an internal user on the systems > > > actually rooted the systems. I have seen code to scan for sshd1, seen > > > the traces in my logs, and there have been hints of possible sshd1 > > > exploit code ciculating for awhile now, with no real evicdence > > > presented there is such an exploit in use that works remotely. Those > > > exploits of sshd1 that have been suggested are far above the needs and > > > skills of simple skript-kiddies though. SSHD2 that I've seen > > > vulnerabilites mentioned for though are those that include sshd1 > > > support, so, if there is real evidence of an sshd2 remote exploit or > > > even a remote sshd1 exploit in acutal use, then, I'd certainly like to > > > see the code or binaries in question. Otherwie, we only have rumrrs of > > > such and most likely have systems hacked via other vectors that are > > > used to scan for possibly exploitable sshd's, and these scans are > > > possibly placed for scare tactics or diversion from the real purpose of > > > the rooting that has taken place. > > > > > > Thanks, > > > > > > Ron DuFresne > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 23:11:05 PST