Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
ssh crc 32 compensation attack - update
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Tue, 04 Dec 2001 16:54:36 +0100 (CET)
  • Message-id: <XFMail.011204165436.bolo@xxxxxxx>
Yup,

for those who aren't subscribed to Bugtraq, here's a Bugtraq-posting by Niels
Provos, who wrote a nice little tool called scanssh. As its name suggests,
scanssh is a ssh protocol scanner which helps to identify the version of
running ssh demons/servers.

It was quite helpful for me in the last couple of weeks when I had to do
clean-ups after some successful ssh-crc32 attacks...

Have fun,

Boris Lorenz <bolo@xxxxxxx>
---

-------------------------cut-here----------------------------

List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 1887 invoked from network); 3 Dec 2001 20:54:47 -0000
Date: Mon, 03 Dec 2001 15:53:22 -0500
Message-Id: <20011203205322.DE8D9207C1@xxxxxxxxxxxxxx>
X-UIDL: f4cb1e56db2796beec50ed2ecad30598
XFMstatus: 0000
Sender: provos@xxxxxxxxxxxxxx
From: Niels Provos <provos@xxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SSH Vulnerability Scan

SSH Vulnerability Scan
Vulnerability to CRC32 compensation attack detector exploit
-----------------------------------------------------------

In February 2001, Razor Bindview released their "Remote vulnerability
in SSH daemon crc32 compensation attack detector" advisory, which
outlined a gaping hole in deployed SSH servers that can lead to a
remote attacker gaining privileged access:

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

In November 2001, Dave Dittrich published a detailed analysis of the
"CRC32 compensation attack detector exploit." This exploit is
currently widely in use. CERT released Incident Note IN-2001-12:

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
http://www.cert.org/incident_notes/IN-2001-12.html

At the Center for Information Technology Integration, Niels Provos and
Peter Honeyman have been scanning the University of Michigan for
vulnerable SSH server software to identify and update vulnerable SSH
servers:

http://www.citi.umich.edu/ssh/

However, scans of the Internet show that system and security
administrators must react and update their SSH servers:

http://www.citi.umich.edu/u/provos/ssh/crc32s.png

At this writing, over 30% of all SSH servers appear to have the
CRC32 bug.

A simple solution is to remove support for Version One of the SSH
protocol. The majority of servers on the Internet support the SSH v2
protocol.

To test whether your network has vulnerable SSH servers, you might
use the ScanSSH tool:

http://www.monkey.org/~provos/scanssh/

References:

"ScanSSH - Scanning the Internet for SSH Servers",
Niels Provos and Peter Honeyman, 16th USENIX Systems Administration
Conference (LISA). San Diego, CA, December 2001.
http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf

This information is also available at

http://www.citi.umich.edu/u/provos/ssh/

-------------------------cut-here----------------------------

< Previous Next >
This Thread
  • No further messages