| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6E4E9A51D91C044F9879FD72389600F73602A6@new_iron.vigilantminds.com>
From: brian.dinello at vigilantminds.com (Brian Dinello)
Subject: Re: new openssh exploit in the wild! *isFAKE AS SH@!*
All:
Just to add to the readily growing list of stupid things this "exploit"
does, it set off my Snort IDS when attemping to root my test box. Looks
like it _may_ actually incorporate some shell code in a REALLY old CRC32
overflow from 2001. Here's the CVE link, if anyone's interested:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
And the snort sig that it hit:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326;
rev:3;)
And the systems that it _may_ be able to affect/infect:
Affected Systems:
OpenSSH versions prior to 2.2
Multiple Cisco network devices
Multiple Netscreen network devices
SSH Secure Communications prior to 1.2.31
Needless to say, I doubt anyone will soon be reporting any instances of
this piece of code actually doing anything to a remote host.
Brian Dinello, CISSP
-----Original Message-----
From: Adam Balogh [mailto:adam@...tnet.net]
Posted At: Friday, September 19, 2003 8:59 AM
Posted To: Full Disclosure
Conversation: [Full-Disclosure] Re: new openssh exploit in the wild!
*isFAKE AS SH@!*
Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild!
*isFAKE AS SH@!*
Probably a scriptkiddie or some random idiot. The fun part was it came
up totally different offsets then i mean TOTALLY different each time you
ran it and if you gave it a offset it would "work" no matter what. For
those people who ran it.. change all your
passwords. :)
/Adam
Vitaly Osipov wrote:
On Fri, 2003-09-19 at 14:21, V.O. wrote:
> Yeah, I missed the fact that after "calculating" the offset it starts
> to "exploit" in the same way as if it was given an offset as a
> parameter. Anyway, I simply wanted to note that whoever posted it here
> was either knowingly lying about its purpose or not having a clue
> about UNIX at all :)
>
> W.
>
>
> ----- Original Message -----
> From: "Adam Balogh" <adam@...tnet.net>
> To: "Full Disclosure" <full-disclosure@...sys.com>
> Sent: Friday, September 19, 2003 9:47 PM
> Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! *
isFAKE
> AS SH@!*
>
>
> > Vitaly Osipov wrote:
> > > which is obviously not true. Btw as far as I understand, the
> > > troyan code
> is triggered when
> > > the "exploit" is run with the offset specified, and not in a
> "bruteforcing" mode.
> > >
> > > W.
> >
> > Me and my friend tried to run it on a lab-box thats not connected
> > directly to internet and doesnt relay mails. It doesn't use that
> > special offset as a trigger. We got so many "sys3" accounts in
> > /etc/passwd as many times we ran it plus those outgoing-mails que'd.
> >
> > /Adam Balogh
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists