Exploits in SSH

Exploits in SSH

Post by Nibz » Wed, 23 Aug 2000 04:00:00



Was wondering if anyone knew of anywhere I could find some information on
any exploits in SSH.  Even an older version if possible.

n8

 
 
 

Exploits in SSH

Post by Richard E. Silverm » Thu, 24 Aug 2000 04:00:00


    Nibz> Was wondering if anyone knew of anywhere I could find some
    Nibz> information on any exploits in SSH.  Even an older version if
    Nibz> possible.

A good place to start would be well-known security archive and reporting
sites, such as:

 www.cert.com
 www.core-sdi.com
 www.securityfocus.com (Bugtraq archives)

Just search for "SSH".

--
  Richard Silverman


 
 
 

Exploits in SSH

Post by User » Thu, 24 Aug 2000 04:00:00




Quote:>Was wondering if anyone knew of anywhere I could find some information on
>any exploits in SSH.  Even an older version if possible.

Hack the source perhaps?  If you find any exploits on the horizon
PLEASE leave a message here after the beep/tone.  Open source
community would be glad to get back to you.  Thank you.
 
 
 

Exploits in SSH

Post by User » Thu, 24 Aug 2000 04:00:00





>>Was wondering if anyone knew of anywhere I could find some information on
>>any exploits in SSH.  Even an older version if possible.

>Hack the source perhaps?  If you find any exploits on the horizon
>PLEASE leave a message here after the beep/tone.  Open source
>community would be glad to get back to you.  Thank you.

Also, most so-called security watch sites are pretty laggard.
They often "discover" exploits after OpenBSD / OpenSSH community
has fixed "bugs" which turn out to be (sometimes tragic) exploits
in other OSes.
 
 
 

Exploits in SSH

Post by N8 » Fri, 25 Aug 2000 04:00:00


Thank you for your valuable help Mr. System Analyst.  I ask the whole world
to forgive me for my lack of knowledge coupled with my desire to learn.  I
thank you for your concern over my time.  I'm sure that you will be happy to
learn that I AM going to college, and that my question was in regard to a
project I am working on.  It's nice to know that those who have passes their
early years starting out still remember what it was like finding information
before someone let you know where it would help to look, and that you still
have time to take out of your busy schedules to politely reply to our
requests for aid.

Sincerely yours,
n8


> > Was wondering if anyone knew of anywhere I could find some information
on
> > any exploits in SSH.  Even an older version if possible.

> Perhaps you've been clueless enough to not even know where exploits
> for this and that and the other are generally available.

> Or maybe the search engine on that site is too difficult for you to
> use.

> Spend your time on something more worthwhile. Like, go to college.

> --
> Atro Tossavainen (Mr.)        | The Institute of Biotechnology at the
> Systems Analyst               | University of Helsinki, Finland, employs
> +358-9-19158939               | me, but my opinions are my own.
> < URL : http : / / www . iki . fi / atro . tossavainen / >

 
 
 

Exploits in SSH

Post by N8 » Fri, 25 Aug 2000 04:00:00


Thanks a lot
n8



>     Nibz> Was wondering if anyone knew of anywhere I could find some
>     Nibz> information on any exploits in SSH.  Even an older version if
>     Nibz> possible.

> A good place to start would be well-known security archive and reporting
> sites, such as:

>  www.cert.com
>  www.core-sdi.com
>  www.securityfocus.com (Bugtraq archives)

> Just search for "SSH".

> --
>   Richard Silverman


 
 
 

1. SSH CRC-32 Compensation Attack Detector Vulnerability actively exploited

Yesterday we noticed that one of our computers
was hacked. After a long analysis of all
vulnerabilities we believe that the attacker
probably used the SSH CRC-32 Compensation Attack
Detector Vulnerability (cve CAN-2001-0144, see
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3...)
to break into the system.

In /var/log/warn you could find the following
entries:

Aug 28 14:08:52 xxxxx sshd[16404]: fatal: Local:Corrupted check bytes
on input.
Aug 28 14:09:29 xxxxx sshd[16431]: fatal: Local:crc32 compensation
attack: network attack detected
...
Aug 28 14:11:40 xxxxx sshd[16504]: fatal: Local: crc32 compensation
attack: network attack detected

At 14:14:25 the attackers already used a DuaKit
Program to install Dua-trojans on the affected
system so a successfull attack against sshd is the
most probable explanation because other entries in
the log-files are missing. We could prove that
other vulnerable services like ftpd were not used.
Besides their use was restricted by TCP-wrappers
while other perhaps vulnerable services like httpd,
POP3 were completely absent.
Unfortunately access to sshd wasn't restricted.

As far as I know this is the first occurence of a
successful attack of this kind in the wild
although exploits like
http://planeta.clix.pt/bsphere/ssh-exploit.txt
were published before.

Several other hosts were discovered here later,
that were apparently hacked by this exploit, too.
All hacked systems were running Suse 6.2, 6.3 and
7.1 and up to OpenSSH_2.3.0p1.

I will try to get further information about the
tool that was used for this attack.

2. Help! URL links in mail inoperative

3. More privacy concerns (plug-ins)

4. How to Access User Data???

5. Encryption (RSA, Public Key, SHTTP) plug-ins for TIS FW toolkit

6. Fight Quest -Brazil: Guy at Ipanema

7. AS/400 & Internet Security...anyone know of break-ins on this type of machine???

8. Challenging Problem

9. Forged cancels and break-ins on Microsoft network security bugs

10. Software License Management/SW-Distirbution+Installation - Literature ?

11. Exchange/Outlook Crypto Plug-ins at risk?

12. I need info about Computer Break ins, Cellphone Hacking