
SSH server 0-day exploit - sucuri2
http://isc.sans.org/diary.html?storyid=6742
======
randallsquared
What are the chances that the exploit is actually in 5.x, and the "anti-sec
movement" is doing some social engineering to get people to upgrade to the
affected versions?

~~~
aarongough
My thoughts exactly... If I had an exploit that only worked on the latest
versions and I wanted to make use of it I would likely try a scheme like this.

Of course if this is the case then the exploit is likely to be used
aggressively sometime in the near future...

------
jlangenauer
I just had a browse through my auth.log, and there does seem to be a new sort
of automated attack script in the wild - it opens a connection to SSH port 22,
(through some spoofed IP address), but then disconnects before attempting to
login. That way, it won't show up as an unsuccessful login attempt for any
log-monitoring tools which add its IP address to hosts.deny.

However, after it's done that repeatedly (presumably doing some sort of
sniffing to work out exactly which version of sshd is running), it then
attempts to login. Here's the interesting bit: when it tries to login with a
user than doesn't exist, instead of just generating the

    
    
      "Invalid user test from xx.xx.xx.xx" log entry,
    

sshd also outputs another log entry, directly afterwards:

    
    
      "input_userauth_request: invalid user test"
    

which I haven't seen before. I'm not particularly au fait with the internals
of sshd, but I would suspect that this new (well, if it is new) script has
found an exploit in the part of SSHD which (logically) checks if a user exists
first, but the login is being rejected deeper in sshd, when it tries to do the
actual authentication.

(All the above is speculation, however: I'm no expert on SSH)

~~~
tedunangst
If the IP is spoofed, how are your reply packets getting back to it?

~~~
jlangenauer
Spoofed is probably the wrong word - through an irrelevant IP address is a
better way to put it(perhaps someone's compromised computer on a botnet acting
as a proxy).

------
dryicerx
For the time being, would be also a good idea to move the ssh port to
something other than 22 to avoid getting carpet-bombed by automated exploiting
scripts.

~~~
lanaer
That is always a good idea, anyway. Been a long while since I’ve used the
standard ssh port on servers under my control.

~~~
buugs
I don't understand why people don't do this it is so much harder if not
impossible for people to break into your server by normal means especially
when you add MaxAuthTries 3

~~~
jrockway
I am pretty sure that 0-day remote exploits don't respect MaxAuthTries.

~~~
lanaer
So long as the exploit doesn’t require multiple login attempts at all (which I
assume it wouldn’t) yeah. MaxAuthTries protects against other things.

------
timmaah
Question along these lines. What version should an updated RHEL4 server have?

I'm only at OpenSSH_3.9p1 yet up2date says everything is up to date.

~~~
SwellJoe
So, just in case anyone is confused about RHEL packaging policy: The version
stays the same for the life of the release; patches are applied to that
version to fix security and stability issues.

Our forums see tons of questions about this, with folks assuming that because
they have an "old" version of PHP or Apache or whatever, that it has known
security vulnerabilities. When, in reality, an RHEL released package is
probably at least as well-vetted for security as the latest release from
upstream.

But, in this case, since there is no known exploit (and it is possibly
fictional), there's nothing vendors can possibly do about the problem. I
suppose vendors could have been quietly notified of the problem, and we'd
start seeing new releases rolling out; but you'd see errata on the relevant
vendors website. Asking random folks on HN wouldn't be the best course of
action for reliable answers.

Anyway, OpenSSH.org has nothing on the subject.

------
palsecam
First, it is only a _rumour_ for now.

Second, it would apparently only concerns old versions of OpenSSH. Quoting the
link: " _It is against an older version of OpenSSH_ " (OpenSSH_4.3).

~~~
martinp
What they mean by "older version" isn't specified anywhere. It could mean not
current for all we know, e.g. < 5.2 (unlikely though). Almost none of the
popular distros use the latest version, will be interesting to see which ones
are affected.

~~~
palsecam
For the version information, I quote <http://secer.org/hacktools/0day-openssh-
remote-exploit.html>.

The submitted link seems to copy/paste most of its content from this article,
but it didn't include the version information.

------
soundsop
Could the exploit actually be on newer versions of ssh? If so, this could be
an attempt to get people to upgrade so that more machines can be compromised.

------
chez17
>members of the anti-sec movement.

Can someone tell me what the anti-sec movement is?

~~~
henning
Sounds like a bunch of script kiddies with a little more brains than usual and
just as much malice.

~~~
mahmud
Antisec are hackers who don't wanna profit from fear.

~~~
henning
"Hackers" as in asshole douchebags who wish medical ailments on people? "We at
anti-sec, hope you never heal"

~~~
mahmud
At least they have credibility. These guys are sticking to their guns and
keeping the hacking underground just that, underground. Anti-sec is a response
to the fear-mongering era of 1998 - 2004 when every hanger-on wannabe computer
guy became a security researcher and started publishing "advisories". Between
dotcom bubble era to 9/11, everybody was a security guy, and not only that,
but the "security guy" was pointing the finger at the hacker community
everytime a script kiddie defaced a geocities web page. Those most sec guys
are snake-oil salesmen and absolutely deserve no sympathy from me. If they're
gonna bad-mouth hackers and promise protection to everyone with a PC (Sec
industry essentially being a racket) I say let them protect themselves from
the real Hackers; by and large, they're out-gunned and out-skilled.

Anti-sec doesn't go after civilians, by the way.

~~~
dkarl
_Anti-sec doesn't go after civilians, by the way._

Let me guess, if I have a job and a computer I'm not a civilian, right?

~~~
mahmud
Not if you're using that computer to publish security articles that tell
people their lives are at risk if they don't buy your product to protect
themselves from the "evil hackers".

It's a very specific feud between two specific groups of people.

If you're not in the know, why not lurk in the scene a bit and see what's
going on? I did just that; I was curious about security and I saw both sides
of the issue. One group publishes exploits and carries out mayhem for fun,
while the other group repeats what the former said in legit, paid publications
and calls the former names.

Even the train-robbers vs bounty-hunters analogy fails in this case; there are
way too many Joe Sixpacks fancying themselves a town sherrif and speaking ill
of Jesse James. Very soon, some faces are bound to get smashed at the local
Saloon :-P

~~~
dkarl
_using that computer to publish security articles that tell people their lives
are at risk if they don't buy your product to protect themselves from the
"evil hackers"_

That's the most bizarre definition of "not a civilian" I've ever heard.

Furthermore, I don't trust anyone's definition of "fun" if it means "mayhem"
on my boxes, and I don't trust any hackers to tell the difference between
funmeisters and for-profit thugs when, for example, having a jolly fun chat
about vulnerabilities. The idea that _I_ could lurk in the scene doesn't
exactly make me feel better about it.

 _One group publishes exploits and carries out mayhem for fun_

I thought dtf and utnick said they want to keep exploits secret? So do they
share the exploits in "the underground" and try to keep them secret from
stodgy, above-ground types? Again, I don't trust them to distinguish between
"cool" people and (e.g.) botnet operators who send v1@gr@!!! email for
spammers.

------
sucuri2
Some info here:

<http://secer.org/hacktools/0day-openssh-remote-exploit.html>

~~~
est
from here <http://baoz.net/0day-openssh-remote-exploit/>

------
Erwin
Your sshd is probably configured with tcp wrappers (My RHEL4/5 were). If you
only log in from a known set of static IPs, you could add in /etc/hosts.deny:

    
    
         sshd: IP1 IP2 .domain.com
    

The .domain.com allows any IP which reverses to .domain.com.

I ran:

    
    
          grep Accepted /var/log/secure*|grep ssh2|perl -lne '/for (\S+) from (\S+)/ && print "$1 $2"'|sort -u
    

To find all IPs/users that logged in.

This may give you trouble if you SSH from e.g. some mobile connection or from
random wifis around the world.

------
tedunangst
Original source: [http://marc.info/?l=full-
disclosure&m=124669956508903...](http://marc.info/?l=full-
disclosure&m=124669956508903&w=2)

------
lil_cain
Depends how much older. Does it affect debian/ubuntu/redhat current systems,
with fixes backported? It's a pretty big deal if it does.

~~~
jacquesm
SSH: SSH-2.0-OpenSSH_4.3

The newest releases use 5.1

~~~
palsecam
Yes, the latest Debian stable release (5.0 "Lenny") uses SSH 5.1.

    
    
      $ cat /etc/debian_version
      5.0.2
      $ ssh -v
      OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

------
mcav
If it's fixed in the latest OpenSSH, it's not a 0-day exploit, is it?

~~~
sucuri2
Technically it is a 0-day exploit (not published and unknown) but that only
works on older versions of SSH.

However, the default version on RHEL, Fedora are vulnerable. So, it is a big
issue if there is no patch from your distribution (unless you use ssh from
source which is not common).

------
skwaddar
The monoculture has an invader, adapt or die.

------
bsaunder
The latest release is 5.2.

------
miracle
If it's true, then it's time to migrate the applications to windows servers.
First the private/public key fiasko with debian, and then this...

