Yup,
for those who aren't subscribed to Bugtraq, here's a Bugtraq-posting by Niels
Provos, who wrote a nice little tool called scanssh. As its name suggests,
scanssh is a ssh protocol scanner which helps to identify the version of
running ssh demons/servers.
It was quite helpful for me in the last couple of weeks when I had to do
clean-ups after some successful ssh-crc32 attacks...
Have fun,
Boris Lorenz
---
-------------------------cut-here----------------------------
List-Id:
List-Post: mailto:bugtraq@securityfocus.com
List-Help: mailto:bugtraq-help@securityfocus.com
List-Unsubscribe: mailto:bugtraq-unsubscribe@securityfocus.com
List-Subscribe: mailto:bugtraq-subscribe@securityfocus.com
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1887 invoked from network); 3 Dec 2001 20:54:47 -0000
Date: Mon, 03 Dec 2001 15:53:22 -0500
Message-Id: <20011203205322.DE8D9207C1@citi.umich.edu>
X-UIDL: f4cb1e56db2796beec50ed2ecad30598
XFMstatus: 0000
Sender: provos@citi.umich.edu
From: Niels Provos
To: bugtraq@securityfocus.com
Subject: SSH Vulnerability Scan
SSH Vulnerability Scan
Vulnerability to CRC32 compensation attack detector exploit
-----------------------------------------------------------
In February 2001, Razor Bindview released their "Remote vulnerability
in SSH daemon crc32 compensation attack detector" advisory, which
outlined a gaping hole in deployed SSH servers that can lead to a
remote attacker gaining privileged access:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
In November 2001, Dave Dittrich published a detailed analysis of the
"CRC32 compensation attack detector exploit." This exploit is
currently widely in use. CERT released Incident Note IN-2001-12:
http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
http://www.cert.org/incident_notes/IN-2001-12.html
At the Center for Information Technology Integration, Niels Provos and
Peter Honeyman have been scanning the University of Michigan for
vulnerable SSH server software to identify and update vulnerable SSH
servers:
http://www.citi.umich.edu/ssh/
However, scans of the Internet show that system and security
administrators must react and update their SSH servers:
http://www.citi.umich.edu/u/provos/ssh/crc32s.png
At this writing, over 30% of all SSH servers appear to have the
CRC32 bug.
A simple solution is to remove support for Version One of the SSH
protocol. The majority of servers on the Internet support the SSH v2
protocol.
To test whether your network has vulnerable SSH servers, you might
use the ScanSSH tool:
http://www.monkey.org/~provos/scanssh/
References:
"ScanSSH - Scanning the Internet for SSH Servers",
Niels Provos and Peter Honeyman, 16th USENIX Systems Administration
Conference (LISA). San Diego, CA, December 2001.
http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf
This information is also available at
http://www.citi.umich.edu/u/provos/ssh/
-------------------------cut-here----------------------------