The trojaned ssh client is nothing new to the hacker community, and the statement in the previous thread claiming "This type of man-in-the-middle attack (trojaned ssh) is not theoretical anymore, and password authentication is broken." is an example of how many poeple still think "hacking" is something very difficult and nothing short of a genius is required to make the transition from theoretical to practical. It is probably the medias fault that these misconeptions are so widely spread. In this case it is just a matter of extending the program to do a small task besides the regular tasks (i.e to save all passwords entered in a file). The patch is probably about 10 to 15 lines of code, and was done in 10 minutes. Not that the cracker would have to have written it himself - there has been patches for ssh backdoors in wide circulation since ssh came out. "Password authentication" has probably been "broken" since it was first introduced. I am quite sure that the hackers back at M.I.T knew how to trojan their telnet clients. But I digress. The reason for this post something mentioned in the apache.org statement: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges." Trojaned ssh clients is nothing new. But what about this "weakness" in the daemon that was used to gain root privileges? What is it about? Has it been fixed in later versions? Is it remotely exploitable (doesn't sound likely, as then the cracker wouldn't have had gone through the trouble to sniff a valid password on sourceforge - unless this particular hole requires a valid user/pasword pair). Basically what I'd like to know is: What version of the OpenSSH daemon would I need to run in order NOT to be vulnerable to this "weakness"? nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
On Sat, Jun 02, 2001 at 02:26:38AM -0700, nuuB wrote:> Trojaned ssh clients is nothing new. But what about this "weakness" in the > daemon that was used to gain root privileges? What is it about? Has it been > fixed in later versions? Is it remotely exploitable (doesn't sound likely, as > then the cracker wouldn't have had gone through the trouble to sniff a valid > password on sourceforge - unless this particular hole requires a valid > user/pasword pair). > > Basically what I'd like to know is: What version of the OpenSSH daemon would I > need to run in order NOT to be vulnerable to this "weakness"?Sounds like ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:30.openssh.asc Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010602/fd5ed982/attachment.bin
>> >> Basically what I'd like to know is: What version of the OpenSSH daemon >> would I need to run in order NOT to be vulnerable to this "weakness"? > >Sounds like >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:30.openssh.ascNo, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org reportedly ran "OpenSSH 2.2". But doing a bit more digging I found http://www.securityfocus.com/templates/advisory.html?id=3087 "Remote vulnerability in SSH daemon crc32 compensation attack detector" This wasn't fixed until 2.3.0. This hole requires quite a lot of constants to be correct, and having local access makes this easier. This could explain why it wasn't exploited remotely on apache.org (though it could have been). obOpenSSH: Anyhow, the fact that I had missed this hole completely has given me a new perspective. Normally I try to keep on top of all security holes in products I use. But for the past 6 months I haven't been reading bugtraq (the main source for such information). I find the SNR way to low these days. Its annoying to see an advisory on product X, then like 10 advisories on the same subject from a bunch of vendors (mostly Linux ones...) that ship product X. So I left bugtraq and instead relied on my vendors (Redhat) ability to issue proper updates (yeah I know, stupid, but I thought it better than doing nothing). It appears they haven't issued a bulletin for this problem (even though they ship OpenSSH 2.1.1 in RH 7.0). They did issue http://www.redhat.com/support/errata/RHSA-2001-041.html which fixes two other (much less serious) problems. It also happens to fix the above CRC attack, but it isn't mentioned in redhats bulletin (and I doubt they knew about it). I don't upgrade things unless there is a problem that affects me (wise from previous updates where new problems of course snuck in with the upgrade). The two minor things mentioned didn't affect me, so I didn't upgrade. So here I am, 2 Jun, with a root hole that was announced on Feb 8. Almost 4 months with an open root hole. Gives me a real warm'n'fuzzy.... NOT. The only thing making me feel better is that the exploitation is quite a far from ./hack with the public exploit. Ah well. I guess it's back to bugtraq, and more time wasted weeding through the junk to find the good bits... Sorry about the rant. nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
>> No, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org >> reportedly ran "OpenSSH 2.2". > >apache.org never had an insecure ssh, someone knew a password for an >account and used that. Wichert.Not if their issued statement reflects what actually happened: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, [- here comes the important bit -] the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges." I.e they only used an account to get local (non-root) access. The point here was that after they had local access they rooted the box using "a weakness" in the ssh server. I'm assuming this weakness is the CRC attack detector bug mentioned previously in this thread. The released exploit requires a lot of constants to be correct, and finding them requires you have more than half a clue and some time to spare. If the sshd binary was readable, or came from a known distributions it would be quite feasable to find the constants required. Bruteforcing some of the constants is also quite fast with local access, and due to the nature of the bug the server crashes before any logging takes place (unless sshd was configured to log more than normal). nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/