RE: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You

Attachments:
Message as email (text/plain) (text/html) (text/plain)

Author: Lisa Kachold
Date:
To: Main PLUG discussion list
Old-Topics: Re: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You
New-Topics: HackFest Series: NOVEMBER HackFest At ESTRELLA MOUNTAIN onNovember 15, 2008 Noon Until 3:30, HackFest Series: NOVEMBER HackFest At ESTRELLA MOUNTAIN on November 16, 2008 Noon Until 3:30
Subject: RE: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You - CHECK YOUR VERSIONS

SSH Exploits are currently available in various forms:

1) General Stack Based exploits. Also called Boundary Protection BOE's. Check your version.
Most older versions have been fixed:
http://secunia.com/advisories/search/?search=ssh+buffer+overflow

2) Protocol 1 exploits. (Check your Version) configure /etc/ssh/sshd_config to use Protocol 2.

3) Kerberos exploits - authentication when compiled against various insecure Kerberos. Check your version; these affect older versions of SSH or unpatched systems.
Description of exploit: http://kerneltrap.org/node/160

4) Random PRNG entropy SSL/SSH - announced in 2006 by a team of university students, this problem with random number generation allows the attacker to guess the key generation and affected nearly all versions of SSL/SSH - including routers/switches/firewalls and custom mail applictions.
Debian/Ubuntu descriptions from CERT:
http://www.debian.org/security/2008/dsa-1571" http://www.debian.org/security/2008/dsa-1576" http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-2 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-4 http://www.ubuntu.com/usn/usn-612-5
http://www.ubuntu.com/usn/usn-612-6 http://www.kb.cert.org/vuls/id/925211

5) Challenge and Response - allows escalated privileges upon overflow of the buffer:
Description and versions affected:

http://www.juniper.net/security/auto/vulnerabilities/vuln5093.html

Example Script that exploits SSH challenge response [see no die there then the overflow payload?]:

http://www.milw0rm.org/exploits/6804

BlackHat Training:

http://www.blackhat.com/html/bh-europe-07/train-bh-eu-07-ss-el.html

Metasploit (comes setup on BackTrack) includes a few examples for SSH exploit training:

http://www.metasploit.com/

NOTE: This information has been intentionally obfuscated using intellectualism to filter out the less evolved crackers in favor of providing security tools to responsible professionals systems hackers [<sic> builders troubleshooters and ethical users].

http://wapedia.mobi/en/Obnosis | http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
> Date: Thu, 30 Oct 2008 00:49:53 -0700
> From: PLUGd@LuftHans.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You
>
> Am 30. Okt, 2008 schwätzte Lisa Kachold so:
>
> > SSH buffer overflow exploit - season to taste:
> > http://www.milw0rm.org/exploits/6804
>
> Looks like this one is exploiting after authenticating as root. I presume
> the idea is that you could auth as someone else and still get root access.
>
> my $user = "root";
> my $pass = "yahh";
>
> $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
>
> Was a die left out?
>
> $ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
>
> > History:
> >
> > OpenSSH Challenge Response Buffer Overflow: http://www.securityfocus.com/bid/5093
> >
> > Report 2001 - updated last Nov 05 2007 02:45PM > > Other boundary exploits, kerberos, auth and encryption exploits and overflows exist making encroachment via SSH trivial.

>
> It's been almost a year since the update with no update on the update :(.
>
> Everybody was too busy reacting to the debian problem?
>
> ###
> **UPDATE: One of these issues is trivially exploitable and is still
> present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been
> confirmed, administrators are advised to implement the OpenSSH
> privilege-separation feature as a workaround.
> ###
>
> I'd think the OpenBSD guys would have denied or confirmed this.
>
> /me switches back to telnet. ;-)
>
> ciao,
>
> der.hans > -- > # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/ > # "If I want my children to work hard, I better be the hardest working > # person they've ever met. If I want the children to be nice, I better > # be the kindest human being they've ever met." -- Rafe Esquith

_________________________________________________________________
You live life beyond your PC. So now Windows goes beyond your PC.
http://clk.atdmt.com/MRT/go/115298556/direct/01/---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date

RE: HackFest Series: "Is it safe yet" or SSH Buffer Overflow…