[ale] OpenSSH

Keith R. Watson keith.watson at gtri.gatech.edu
Thu Feb 7 10:23:18 EST 2002 

At 01:29 PM 2/6/2002 -0600, Jason Lynn wrote:
>Just wondering if anyone else has had their SSH scanned lately.  I've had 
>mine scanned five or six times over the last few days (unusual high 
>activity).  I'm guessing that there is a new exploit out there.  If anyone 
>has any information on this, please share!  Here's an clip from one entry 
>in my logs:
>Feb  5 07:40:08 squirtle sshd[31238]: scanned from 213.67.71.29 with 
>SSH-1.0-SSH_Version_Mapper.  Don't panic.
>Thanks,
>
>Jason


Jason,

There is a hole in SSH. For the full text of the following CIACT Bulletin see:

http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml

keith
               __________________________________________________________

                         The U.S. Department of Energy
                       Computer Incident Advisory Center
                             ___  __ __    _     ___
                            /       |     /_\   /
                            \___  __|__  /   \  \___
               __________________________________________________________

                                TECHNICAL BULLETIN

                        Understanding the SSH CRC32 Exploit

December 20, 2001 19:00 GMT                              Number CIACTech02-001
______________________________________________________________________________
PROBLEM:       In recent months, many servers running ssh have been
                 compromised using the SSH CRC32 Compensation Attack Detector.
                 Compromised machines have either not been upgraded to SSH
                 protocol 2 or have not disabled drop back to SSH protocol 1.
                 Use of this attack allows a remote user to gain root
  access on
                 a server.
PLATFORM:      Any server running SSH protocol 1 or SSH protocol 2 configured
                 to drop back to protocol 1.
ABSTRACT:      This technical bulletin describes the SSH CRC32 Compensation
                 Attack Detector vulnerability and the operation of an exploit
                 code that attacks that vulnerability. It discusses detecting
                 the version of sshd that a system is running and how to
                 differentiate between different versions.
______________________________________________________________________________
LINKS:
   CIAC BULLETIN:      http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml
   OTHER LINKS:        CIAC Bulletin L-047 OpenSSH SSH1 Coding Error and
  Server
                       Key Vulnerability
                       http://www.ciac.org/ciac/bulletins/l-047.shtml CIAC

                       Bulletin M-017 Multiple SSH Version 1 Vulnerabilities
                       http://www.ciac.org/ciac/bulletins/m-017.shtml Michal

                       Zalewski's Bindview Bulletin
                       http://razor.bindview.com/publish/advisories/adv_ssh1 
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
______________________________________________________________________________


-------------

Keith R. Watson                        GTRI/AIST
Systems Support Specialist III         Georgia Tech Research Institute
keith.watson at gtri.gatech.edu           Atlanta, GA  30332-0816
404-894-0836

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list