A proposito di bachi di ssh

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Novembre 2001 ml@sikurezza.org
Soggetto: A proposito di bachi di ssh
Mittente: Sala Massimiliano
Data: 29 Nov 2001 18:45:28 -0000

Ciao a tutti.
Allego questo post da una mailing list di sicurezza.
credo che sia interessante.
ciao

	Massimiliano

Se non e` una bufala, questo e` l'annuncio

----------------------------------------------------------------------------
--------
[prev in list] [next in list] [prev in thread] [next in thread]

List:     openssh-unix-dev
Subject:  Possible root-exploit in openssh?
From:     Fredrik Hultkrantz <fjutt@blink.se>
Date:     2001-11-28 15:47:07
[Download message RAW]

Hello...

I am a student at G=F6teborgs university who is the system adminstrator in
one of the student clubs here. We run about 10 computers with one server.
Mainly linux and all run openssh. We have closed telnet so only
ssh-connections is allowed.

Last night i got a mail from one of the system adminstrators at G=F6teborgs
university saying that there was a possible root exploit in all openssh
versions from 2.9.9p2 and below. Shortly after this the universty closed
all connections using port 22 (that is how serious they think it is)
effectivly making all the machines I am responsible for unable to log on
to from the outside.

They have looked at the exploit and i'll try to sum it up here.

-----------------------

The program is 1.2 MB and is crypted. It gives you a root shell but
doesn't seem to do anything stupid. 1.2 MB is a lot of data though...

Using strace/truss/gdb etc doesn't result in anything useful so it is a
bit hard to say what it really is doing.

They have confirmed that :

Fsecure
1.2.xx
2.x.xx
3.0.x

and
Openssh
1.x
2.9p1
2.9.9p2

is vulnerable. Openssh 3.0.1p1 doesn't seem to be vulnerable though.

It is called x2 (at least by the people i have talked to).

It doesn't seem to be the crc-bu but more somwthing in the line of a
buffer overrun during the handshake

How to run it?

x2 -t1 ip port
x2 -t2 ip port
x2 -t3 ip port

If it asks for a password just:

cat key.txt

---------------------------

I have searched all the mailinglists but have not been able to find
anything linked to this (if i missed something please redirect me).

All the data above is NOT tested by me but by other people at the
university. I have the exploit (I have not tested it myself though) and
can send it for further testing to you if you ask me.

Is this a known exploit? Does I miss something?

If I did something wrong mailing this mail don't be offended and please
tell me how to correct it (it is my first post to this mailing-list)

Thanks a lot for a great program

Fjutt

[prev in list] [next in list] [prev in thread] [next in thread]

  Log in / Log out
  Configure Your Environment
  About MARC
  We're Hiring!
  Want to add a list? Tell us about it.
  The AIMS Group

_______________________________________________
Secadmin mailing list
Secadmin@unipi.it
http://listmanager.unipi.it/mailman/listinfo/secadmin

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Messaggi successivi:
- Re: A proposito di bachi di ssh, lorenzo

Data:
- precedente: Virus W32.Badtrans (Chiarimenti), Fausto Pasqualetti
- successivo: sempre BadTrans - una soluzione semplice per i servers di posta elettronica., Fausto Pasqualetti
- indice

Argomento:
- precedente: sshd il punto..., Fausto Pasqualetti
- successivo: Re: A proposito di bachi di ssh, lorenzo
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005