lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 24 May 2008 10:36:15 +0200
From: Alexander Klink <a.klink@...ops.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Identify weak Debian OpenSSL clients in SSH DH
	key exchange

Hi,

Everybody keeps talking about changing your keys and updating OpenSSL,
but this is not the only issue with the Debian/OpenSSL debacle. Consider
that someone has sniffed your SSH traffic (say at a securit conference?).
If either a compromised server or client were involved, you have got
a problem as the Diffie-Hellmann key exchange at the start of the
SSH session can now be broken. This means that all the data (passwords,
SSH tunnel anyone?) can now be considered compromised if you are
reasonably paranoid.

I've written a script that helps you to identify these weak Diffie-Hellmann
key exchanges in an SSH session and released it at EuSecWest 2008.
The script reads in a PCAP file, looks at the group parameters sent by
the server and at the g^x sent by the client and tries to solve the
discrete logarithm by doing test-exponentiations with the 2^16 x's that
are/were available on a vulnerable Debian system.

As for vulnerable servers, the 2^16 are not enough as they keep on
running and generate new pseudo-random numbers (generated from the one
predictable seed, though). A version that is still to come will use
a database of precomputed exponentiations to check the files thus being
a lot faster. This would allow us to compute the exponentiations for say
the first few thousand iterations for each PID, too (I wonder which
value would be enough here?) ...

I guess it would be useful if the script could decrypt the SSH session
if it has found a hit and save it in a new PCAP file, but unfortunately
the crazy german laws do not allow me to write/publish something like
this. If you live in a country with better laws and can write/publish a
patch, that would be good ...

You can find the script at
http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2

Cheers,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@...ops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ