HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You - CHECK YOUR VERSIONS

Lisa Kachold lisakachold at obnosis.com
Thu Oct 30 08:38:46 MST 2008


SSH Exploits are currently available in various forms:

1) General Stack Based exploits.  Also called Boundary Protection BOE's.  Check your version.
Most older versions have been fixed:
http://secunia.com/advisories/search/?search=ssh+buffer+overflow

2) Protocol 1 exploits. (Check your Version) configure /etc/ssh/sshd_config to use Protocol 2.

3) Kerberos exploits - authentication when compiled against various insecure Kerberos. Check your version; these affect older versions of SSH or unpatched systems.
Description of exploit: http://kerneltrap.org/node/160

4) Random PRNG entropy SSL/SSH - announced in 2006 by a team of university students, this problem with random number generation allows the attacker to guess the key generation and affected nearly all versions of SSL/SSH - including routers/switches/firewalls and custom mail applictions.
Debian/Ubuntu descriptions from CERT:
http://www.debian.org/security/2008/dsa-1571" http://www.debian.org/security/2008/dsa-1576" http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-2 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-4 http://www.ubuntu.com/usn/usn-612-5
http://www.ubuntu.com/usn/usn-612-6 http://www.kb.cert.org/vuls/id/925211 

5) Challenge and Response - allows escalated privileges upon overflow of the buffer:
Description and versions affected:

http://www.juniper.net/security/auto/vulnerabilities/vuln5093.html

Example Script that exploits SSH challenge response [see no die there then the overflow payload?]:

http://www.milw0rm.org/exploits/6804

BlackHat Training:

http://www.blackhat.com/html/bh-europe-07/train-bh-eu-07-ss-el.html

Metasploit (comes setup on BackTrack) includes a few examples for SSH exploit training:

http://www.metasploit.com/ 

NOTE: This information has been intentionally obfuscated using intellectualism to filter out the less evolved crackers in favor of providing security tools to responsible professionals systems hackers [<sic> builders troubleshooters and ethical users].  

http://wapedia.mobi/en/Obnosis |  http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
> Date: Thu, 30 Oct 2008 00:49:53 -0700
> From: PLUGd at LuftHans.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: Re: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You
> 
> Am 30. Okt, 2008 schwätzte Lisa Kachold so:
> 
> > SSH buffer overflow exploit - season to taste:
> > http://www.milw0rm.org/exploits/6804
> 
> Looks like this one is exploiting after authenticating as root. I presume
> the idea is that you could auth as someone else and still get root access.
> 
> my $user = "root";
> my $pass = "yahh";
> 
> $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
> 
> Was a die left out?
> 
> $ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
> 
> > History:
> >
> > OpenSSH Challenge Response Buffer Overflow: http://www.securityfocus.com/bid/5093
> >
> > 				Report 2001 - updated last Nov 05 2007 02:45PM
> > Other boundary exploits, kerberos, auth and encryption  exploits and overflows exist making encroachment via SSH trivial.
> 
> It's been almost a year since the update with no update on the update :(.
> 
> Everybody was too busy reacting to the debian problem?
> 
> ###
> **UPDATE: One of these issues is trivially exploitable and is still
> present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been
> confirmed, administrators are advised to implement the OpenSSH
> privilege-separation feature as a workaround.
> ###
> 
> I'd think the OpenBSD guys would have denied or confirmed this.
> 
> /me switches back to telnet.  ;-)
> 
> ciao,
> 
> der.hans
> -- 
> #  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
> #  "If I want my children to work hard, I better be the hardest working
> #  person they've ever met. If I want the children to be nice, I better
> #  be the kindest human being they've ever met." -- Rafe Esquith

_________________________________________________________________
You live life beyond your PC. So now Windows goes beyond your PC.
http://clk.atdmt.com/MRT/go/115298556/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081030/12aebf08/attachment.htm 


More information about the PLUG-discuss mailing list