OT: Free OpenSource JAD/J2EE WAP SSH Client for Phones

Lisa Kachold lisakachold at obnosis.com
Tue Nov 25 16:15:49 MST 2008 

The question of whether your SSH is secure or can be intercepted is not simple!
  
EXACT INFORMATION RELATED TO VERSIONS, CONFIGURATION, and NETWORK TRUSTS ARE REQUIRED FOR A FULL SECURITY ANALYSIS of ANY PROTOCOL.

Legend {} = practical lab exploit

SSH exploits cover various implementations from Protocol 1.5 to 1.99 ( which drop back down when the connection is overflowed or DoS'd) to complete "somewhat secure" Protocol 2.0.

One can even BREAK modern [temporarily secure] SSH with changes to the /etc/ssh/sshd_config file (which exploiters [and admins] often [ahem] "customize") to allow X11 Forwarding, clear text, PAM, rhosts or another "useful" feature without considering greater layers of trust and mistrust in JustDoIt4Profit.com and ItCrisisJunkies4Us.com type shops.

Here's a breif list of the historic SSH exploits:

1) SSH CRC32 Compensation Attack
       Detector 2002

2) Various Buffer Exploits 

a) buffer_append_space() [including most recent in 2008] {http://www.milw0rm.com/exploits/6804 } 
b) Key {http://www.securiteam.com/exploits/6D00M2K6AU.html }
c) SSH Challenge/Authentication Boundary Condition Exploit
d) SSH_FXP_OPEN exploit {http://securityvulns.com/Udocument754.html }
 
{ Gain a Root Shell:  http://www.securityspace.com/smysecure/catdescr.html?cat=Gain+a+shell+remotely }

Protect via fwknob: http://74.125.45.132/search?q=cache:cVZswnUzh34J:barcampchicago.com/files/fwknop-20080817.pdf+SSH+MD5+replay+script&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a}

3) Debian SSH key issue {http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2008-05/msg00416.html }

4) SSH Remote Challenge Exploits UsePrivilegeSeparation

&&  SSH Remote PAM Challenge Exploits  {scanned using http://www.monkey.org/~provos/scanssh/ }

5) SSH Privilege Escalation:

http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=OpenSSH+3.0.2p1+exploit&type=archives

6) SSH X11 Forwarding Exploits 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011

{http://www.secuobs.com/secumail/snsecumail/msg09943.shtml }

7) Password Attacking or Dictionary Attacks

Explanation and Tests post encroachment: 
http://gii2.nagaokaut.ac.jp/gii/rsd.php?itemid=734

a) Worms:  http://www.aerospacesoftware.com/ssh-kiddies.html  

b) MD5 attack {http://www.brendangregg.com/Chaos08/session_0003.textSSH.replay }

c) Hydra [BackTrack] SSH dictionary attack {http://forum.darkc0de.com/index.php?action=vthread&forum=19&topic=3134}

8) Man in the middle or TCP/IP spoofing and ARP cache poisoning (especially in insufficiently source and destination limited firewalled networks and with "evil localhost entries in /etc/hosts").

{ http://www.hackingdefined.com/movies/see-s...m-tunneling.zip
You might need a techsmith codec to view: http://www.techsmith.com/download/codecs.asp }

[sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected SSH and HTTPS sessions
by exploiting weak bindings in ad-hoc PKI]

10) The most recent is the PLAIN TEXT leak for SSH recently announced on CPNI: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

and this decription:  http://www.securityfocus.com/archive/1/498558/30/0/threaded

It's probable that exploits for this are already circulating, as difficult as it seems to break. a creative use will certainly be implemented in conjunction with other tools.

Believe it or not there are a great many OLD versions of Protocol 1 out there in production server portals for highly visable Internet providers and corporations (some even with passwords as simple as "1234test" or "p at ssword").

There is more than one SSH protocol and more than one version of the sshd 
  program. All of the current 1.x versions of the sshd program implement SSH 
  protocol 1.5, which is generally called the SSH-1 protocol. Program versions 2 
  and higher with drop back to protocol 1 enabled  show the SSH 1.99 protocol or 
  if drop back is disabled, they show SSH 2.0 protocol. Both of these are the 
  SSH-2 protocol. If you telnet to port 22 on a machine that is running the sshd 
  daemon, you get back a string that tells you the protocol currently being 
  implemented and the version of the sshd daemon. For example, a returned string 
  might be: SSH-1.5-1.2.27 which tells you that the daemon is implementing 
  protocol version 1.5 and that the daemon is version 1.2.27.


It's generally recommended to know the features and limitations of every application in place.  Here's OpenSSH's version to exploit description:  http://www.openssh.com/security.html

SSH Hacking and Tunneling Exploits:  http://www.youtube.com/watch?v=eU4gFO0Z6GA

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics.

From: jon at the-hansons-az.net
To: plug-discuss at lists.plug.phoenix.az.us
Subject: Re: OT: Free OpenSource JAD/J2EE WAP SSH Client for Phones
Date: Tue, 25 Nov 2008 14:48:08 -0700

SSH is secured at your endpoint specifically because you don't trust the network. Even if someone was able to intercept the cellular data (which is encrypted as well, at least for GSM) they still wouldn't be able to decypher your SSH session.

Sent from my iPhone
On Nov 25, 2008, at 2:38 PM, "Joshua Zeidner" <jjzeidner at gmail.com> wrote:


 Lisa,

  I wonder if the data transport (over cell network) is secured...  can a sophisticated cell phone eavesdropper snoop on my ssh session?

 -jmz


On Tue, Nov 25, 2008 at 11:07 AM, Lisa Kachold <lisakachold at obnosis.com> wrote:






Check out midpssh - works on BlackBerry, and most PDA's - since it's compiled for various ARM and other phone devices.

http://www.xk72.com/midpssh/


Point your phone browser to install:

http://xk72.com/wap 



Security Disclaimer:
Remember to limit your server SSH access points (where possible) through ACL [iptables] by IP [check your phone settings for IP address], use strong passwords, and deploy daemon wrappers like SSHIT or SSHUTOUT [to protect against brute force and dictionary attacks], enable strong logging and log servers [so the logs can't be trivially edited] and alternately run on a unique port (not 2222 [everyone uses 2222]) if you MUST leave SSH open to PSTN/Internet gateways.


www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics.



Get more done, have more fun, and stay more connected with Windows Mobile®.  See how.

---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Windows Live Hotmail now works up to 70% faster.
http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_faster_112008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081125/809cb9c9/attachment.htm

More information about the PLUG-discuss mailing list