HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You

[der.hans]

Am 30. Okt, 2008 schwätzte Lisa Kachold so:

> SSH buffer overflow exploit - season to taste:
> http://www.milw0rm.org/exploits/6804

Looks like this one is exploiting after authenticating as root. I presume
the idea is that you could auth as someone else and still get root access.

my $user = "root";
my $pass = "yahh";

$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";

Was a die left out?

$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";

> History:
>
> OpenSSH Challenge Response Buffer Overflow: http://www.securityfocus.com/bid/5093
>
> 				Report 2001 - updated last Nov 05 2007 02:45PM
> Other boundary exploits, kerberos, auth and encryption  exploits and overflows exist making encroachment via SSH trivial.

It's been almost a year since the update with no update on the update :(.

Everybody was too busy reacting to the debian problem?

###
**UPDATE: One of these issues is trivially exploitable and is still
present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been
confirmed, administrators are advised to implement the OpenSSH
privilege-separation feature as a workaround.
###

I'd think the OpenBSD guys would have denied or confirmed this.

/me switches back to telnet.  ;-)

ciao,

der.hans
-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  "If I want my children to work hard, I better be the hardest working
#  person they've ever met. If I want the children to be nice, I better
#  be the kindest human being they've ever met." -- Rafe Esquith