From: dolan at unt.edu (Patrick Dolan)
Subject: Re: new openssh exploit in the wild! *isFAKE AS SH@!*

Well if you look at the rule, you can see that all it's looking for is a few 
x86 NOOP commands in a row.  It doesn't really have anything to do with an 
old CRC32 exploit.


On Friday 19 September 2003 10:38 am, Brian Dinello wrote:
> All:
>
> Just to add to the readily growing list of stupid things this "exploit"
> does, it set off my Snort IDS when attemping to root my test box.  Looks
> like it _may_ actually incorporate some shell code in a REALLY old CRC32
> overflow from 2001.  Here's the CVE link, if anyone's interested:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
>
> And the snort sig that it hit:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
> overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90
> 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347;
> reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326;
> rev:3;)
>
> And the systems that it _may_ be able to affect/infect:
> Affected Systems:
>     OpenSSH versions prior to 2.2
>     Multiple Cisco network devices
>     Multiple Netscreen network devices
>     SSH Secure Communications prior to 1.2.31
>
> Needless to say, I doubt anyone will soon be reporting any instances of
> this piece of code actually doing anything to a remote host.
>
> Brian Dinello, CISSP
>
>
>
>
> -----Original Message-----
> From: Adam Balogh [mailto:adam@...tnet.net]
> Posted At: Friday, September 19, 2003 8:59 AM
> Posted To: Full Disclosure
> Conversation: [Full-Disclosure] Re: new openssh exploit in the wild!
> *isFAKE AS SH@!*
> Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild!
> *isFAKE AS SH@!*
>
>
> Probably a scriptkiddie or some random idiot. The fun part was it came
> up totally different offsets then i mean TOTALLY different each time you
> ran it and if you gave it a offset it would "work" no matter what. For
> those people who ran it.. change all your
> passwords. :)
>
> /Adam
>
> Vitaly Osipov wrote:
>
> On Fri, 2003-09-19 at 14:21, V.O. wrote:
> > Yeah, I missed the fact that after "calculating" the offset it starts
> > to "exploit" in the same way as if it was given an offset as a
> > parameter. Anyway, I simply wanted to note that whoever posted it here
> >
> > was either knowingly lying about its purpose or not having a clue
> > about UNIX at all :)
> >
> > W.
> >
> >
> > ----- Original Message -----
> > From: "Adam Balogh" <adam@...tnet.net>
> > To: "Full Disclosure" <full-disclosure@...sys.com>
> > Sent: Friday, September 19, 2003 9:47 PM
> > Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! *
>
> isFAKE
>
> > AS SH@!*
> >
> > > Vitaly Osipov wrote:
> > > > which is obviously not true. Btw as far as I understand, the
> > > > troyan code
> >
> > is triggered when
> >
> > > > the "exploit" is run with the offset specified, and not in a
> >
> > "bruteforcing" mode.
> >
> > > > W.
> > >
> > > Me and my friend tried to run it on a lab-box thats not connected
> > > directly to internet and doesnt relay mails. It doesn't use that
> > > special offset as a trigger. We got so many "sys3" accounts in
> > > /etc/passwd as many times we ran it plus those outgoing-mails que'd.
> > >
> > > /Adam Balogh
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Patrick Dolan
UNT Computing and Information Technology Center

PGP ID: E5571154
Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0  6F8D B13B 2456 E557 1154

Powered by blists - more mailing lists