Hi list According to some entrys in BugTraq and statements here, there is an sshex binary out the, to attack sshd up 3.x. Where to get attackers weapon - to play with it and unter- stand their game. Michael Appeldorn
The ssh site (www.ssh.com) states that the attacks that everyone is referring to were all on machines still running SSH1 compatibility (not too smart that), and that versions not running ssh1 compatibility should not be vulnerable. As I haven't had a chance to look at the exploit yet, I don't know if that info is current. Can anyone confirm that the new exploit is for ssh1 only? Stefan Michael Appeldorn wrote:
Hi list
According to some entrys in BugTraq and statements here, there is an sshex binary out the, to attack sshd up 3.x.
Where to get attackers weapon - to play with it and unter- stand their game.
Michael Appeldorn
Stefan, please refer to the thread "New SSH bug?", started by Ben Rosenberg yesterday on suse-sec. I also posted the info you found on ssh.com, but now I'm not sure anymore; ssh.com's publication is from the 25th of February, and addresses a news broadcast of Finnish TV. From what I gather, this publication is directed to the ssh1 crc32 compensation attack exploit, although they don't refer to this particular vuln. John Compton posted this on SecurityFocus's vuln-dev mailing list: http://online.securityfocus.com/archive/82/258238 For me, this sounds like a vuln of the official ssh2 implementation (look at the output of the sshex/7350ylonen exploit)... :(
From my investigations concerning the new ssh vuln, here is what I know (or think to know):
- The exploit apparently is directed towards ssh2 implementations
- The official file/app name of the exploit seems to be 7350ylonen (side
note: Tatu Ylonen is the founder of ssh Finnland), although several
sources refer to it as "sshex"
- it exploits at least three (?) holes in the ssh2 protocol
- 7530ylonen/sshex seems to stem from Teso's web site, a well-known
security/hacking group/ressource. The source of the exploit (which
should not have been published) has been leaked (side note: read "7350"
in cracker-/kiddie-style; you will read "teso", just like "31337" means
"eleet", blah, blubb... :) )
So far, I didn't manage to track down the exploit - this will be a tough
one I guess. Let's see - I will repost as soon as any news occur.
Perhaps Roman has some more infos...?
Chakka! :)
Boris
The ssh site (www.ssh.com) states that the attacks that everyone is referring to were all on machines still running SSH1 compatibility (not too smart that), and that versions not running ssh1 compatibility should not be vulnerable. As I haven't had a chance to look at the exploit yet, I don't know if that info is current. Can anyone confirm that the new exploit is for ssh1 only?
Stefan
participants (3)
-
Boris Lorenz
-
Michael Appeldorn
-
Stefan Suurmeijer