lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+iRVeeDgXVwucw7WN3JBgQZu28OCGCrm+tWFhYi0303b5F30A@mail.gmail.com>
Date: Tue, 6 May 2014 19:04:44 -0400
From: Tyler Nighswander <tylerni7@...il.com>
To: debug@...soft.ltd.uk
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] OpenSSH Vulnerabilities

This is hilariously stupid. Anyone can come up with "proof" if all it takes
is printing a random SHA1 and running ls in some directories. Not to
mention the fact that the directory seems to report a total size smaller
than the sum of the files(???), and the exploit source code is apparently
over 250 kilobytes(!) long.

If someone actually had this exploit,
 1) They would probably sell it for more than $9000, and you would never
hear about it
 2) They would have already used it to make far money than they will by
doing this
 3) They could have a real POC (run it against a high profile target so
people know it's legitimate, then try to sell it (not perfect, but would be
more believable than this))
 4) If they were trying to sell it, they would find a better way to
associate it with themselves than on pastebin. Otherwise someone else would
just copy paste the exact same thing, but change the email address and
wallet addresses.

If that still doesn't convince you... that's good. The exploit is totally
legitimate. In fact I am the original author (see below for proof). I'll
sell you the totally legit version of the exploit for just 15 BTC.

===== TOTALLY LEGIT ====
$ ls -lh
total 236K
-rw-rw-r-- 1 tyler tyler 29 April  236K 10:55 tylers_real_exploit.c
$ sha1sum tylers_real_exploit.c
d7faeb46f10ea6b7058a116043c1f0ce7a158c7f  tylers_real_exploit.c
$ gcc tylers_real_exploit.c -O3 -lcrypto -lopenbsd-compat -lssl -lssh -lpam
-o
tylers_real_exploit
$ ./tylers_real_exploit -u root -h google.com
[HAX IN PROGRESS]
[RETICULATING SPLINES]
[CHARGING FLUX CAPACITOR]
[HAX COMPLETE]
Welcome to Google's super secure servers and stuff!

root@...gle.com:~# id
uid=0(root) gid=0(root) groups=0(root)
root@...gle.com:~#
==== TOTALLY LEGIT ====


On Tue, May 6, 2014 at 6:08 PM, <devel@...soft.ltd.uk> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://pastebin.com/raw.?i=gjkivAf3
>
>
> - -- CUT --
> #exploit #openssh
>                 ░░░░░░                            ▓▓▓▓▓▓
>             ░░░░░░░░░░░                          ▓▓▓▓▓▓▓▓▓▓▓
>           ░░░░░░░░░░░░░                          ▓▓▓▓▓▓▓▓▓▓▓▓▓
>        ░░░░░░░░░░░░░░░░░                        ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>      ░░░░░░░░░░░░░░░░░░░                        ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>    ░░░░░░░░░░░░░░░░░░░░░░                      ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>  ░░░░░░░░░░░░░░░░░░░░░░░░░                    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
> ░░░░░░░░░░░░░░░░░░░░░░░░░█                    ▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
> ░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░  ▓▓▓▓▓▓▓▓▓▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>   ░░░░░░░░░░░░░░░░░░░░█████░░░░░░░░  ▓▓▓▓▓▓▓▓▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>    ░░░░░░░░░░░░░░░░░▓▓▓█████░░░░░░    ▓▓▓▓▓▓▒▒▒▒▒░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
>      ░░░░░░░░░░░░█▓▓▓▓████░░░░░░░      ▓▓▓▓▓▓▓▒▒▒▒░░░░▒▓▓▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░░░▓▓▓▓▓▓▓▓▓█░░░░░░          ▓▓▓▓▓▓▒░░░░░░░░▓▓▓▓▓▓▓▓▓▓
>         ░░░▓▓▓▓▓▓▓▓▓▓▓█░░░░░░              ▓▓▓▓▓▓▒░░░░░    ▓▓▓▓▓
>          ▓▓▓▓▓▓▓▓▓▓▓░░░░░░░                  ▓▓▓▓▓▓▓░░     ░░░▓
>           ▓▓▓▓▓▓▓╔════════════════════════════════════╕░░░░░▓▓
>         ░░░░░░░░░║    OpenSSH sshd - memory leak      │▓▓▓▓▓▓▓▓▓
>        ░░░░░░░░░░║              5.1-6.X               │▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░░░░░║       (priv8, still unfixed)       │▓▓▓▓▓▓▓▓▓▓▓
>       ░░░░░░░    ╙────────────────────────────────────┘    ▓▓▓▓▓▓▓
>
> u mad Heartbleed ? ...
>
> ====
> Release date: 04/30/2014
> Product: OpenSSH
> Vendor: http://www.openssh.com/
> CVE candidate number: CVE-2018-XXXX (maybe 2020+...)
> ====
>
> We found two years ago a memory disclosure vulnerability in the OpenSSH
> server
> which allows to remotely extract data from the sshd server's children
> processes
> memory zones.
>
> This vulnerability exploits a bad check on the network layer of the sshd
> server
> that we trigger to retrieve all children processes memory sections thereby
> allowing us to dump:
> - - system users hashes
> - - keys
> - - many random things ;)
>
> This exploit was tested on:
> - - SSH-2.0-OpenSSH_5.1p1 Debian-5
> - - SSH-2.0-OpenSSH_5.1p1 DragonFly-20080927
> - - SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
> - - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
> - - SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
> - - SSH-2.0-OpenSSH_6.1p1 Debian-4
> - - SSH-2.0-OpenSSH_6.2p2-hpn13v14 FreeBSD-openssh-portable-6.2.p2_3,1
> - - SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
> - - SSH-2.0-OpenSSH_6.4p1 FreeBSD-openssh-portable-6.4.p1,1
> - - SSH-2.0-OpenSSH_6.5p1 CentOS RHEL
> - - SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
> - - ... many more
>
> Enough bullshit, POC TIME !
>
> =====
>
> $> ls -lh
> total 227K
> drwxr-xr-x  2 vjn  vjn  4.0K Apr 30 01:53 .
> drwxrwxrwt 32 root root 4.0K Apr 30 01:53 ..
> - -rw-r--r--  1 vjn  vjn  236K Apr 30 01:53 icanhaze.c
>
> $ sha1sum icanhaze.c
> d7faeb46f10ea6b7058a116043c1f0ce7a158c7f  icanhaze.c
>
> $> gcc icanhaze.c -O3 -lcrypto -lopenbsd-compat -lssl -lssh -lpam -o
> icanhaze
> $> ./icanhaze
> +------------------------------+
> |  OpenSSH 5.1-6.X - infoleak  |
> | don't evar fuckin release it |
> +------------------------------+
>
> Usage: ./icanhaze [OPTIONS]
>     -h, --host <host>
>         Hostname or IP
>     -p, --port <port>
>         Port number (default: 22)
>     -d, --dump <dump_file>
>         Dump output file
>     -H, --hashes <hashes_file>
>         User hashes dump file (john)
>     -v, --verbose
>         Verbose mode
>     -D, --debug
>         Debug mode
>
> Supported architectures: x86, x86_64, armv7
> Supported operating systems: Linux, *BSD
>
> $> ./icanhaze -v -h 192.168.10.5 -p 22 -d output.dump -H
> +------------------------------+
> |  OpenSSH 5.1-6.X - infoleak  |
> | don't evar fuckin release it |
> +------------------------------+
> [I] - connecting to target 192.168.10.5 on port 22
> [I] - sshd banner: SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
> [I] - let magic happenz
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [W] - bad luck... retrying
> [I] - ____STAGE_1____: OK
> [I] - mode: x86_64
> [I] - pointerz fuckery
> [I] - ____STAGE_2____: OK
> [I] - fingerprinted child sectionz table
>     7f863100f000-7f8631010000
>     7f8631213000-7f8631214000
>     7f8631418000-7f8631419000
>     7f863161b000-7f863161c000
>     7f863181e000-7f863181f000
>     7f8631a22000-7f8631a23000
>     7f8631c68000-7f8631c69000
>     7f8631e6b000-7f8631e6c000
>     7f863206d000-7f863206e000
>     7f8632272000-7f8632273000
>     7f8632475000-7f8632476000
>     7f863267a000-7f863267b000
>     7f863287e000-7f863287f000
>     7f8632a80000-7f8632a81000
>     7f8632c82000-7f8632c83000
>     7f8632e84000-7f8632e85000
>     7f8633092000-7f8633093000
>     7f8633093000-7f863309f000
>     7f86332a4000-7f86332a5000
>     7f86334b0000-7f86334b1000
>     7f86336bb000-7f86336bc000
>     7f86338c3000-7f86338c4000
>     7f8633ad7000-7f8633ad8000
>     7f8633ad8000-7f8633ada000
>     7f8633cdd000-7f8633cde000
>     7f8633ee6000-7f8633ee7000
>     7f863410e000-7f863410f000
>     7f863410f000-7f8634110000
>     7f8634327000-7f8634328000
>     7f8634328000-7f863432c000
>     7f863452f000-7f8634530000
>     7f8634745000-7f8634746000
>     7f8634746000-7f8634748000
>     7f8634acc000-7f8634acd000
>     7f8634acd000-7f8634ad2000
>     7f8634cd5000-7f8634cd6000
>     7f8634fa8000-7f8634faa000
>     7f86351e7000-7f86351e9000
>     7f86353f1000-7f86353f2000
>     7f86353f2000-7f8635420000
>     7f8635636000-7f8635637000
>     7f8635839000-7f863583a000
>     7f8635a41000-7f8635a42000
>     7f8635e13000-7f8635e22000
>     7f8635e22000-7f8635e26000
>     7f8636044000-7f8636045000
>     7f8636045000-7f8636046000
>     7f8636253000-7f8636254000
>     7f863645d000-7f863645e000
>     7f863645e000-7f863645f000
>     7f863665c000-7f8636666000
>     7f863667c000-7f863667e000
>     7f863667f000-7f8636680000
>     7f8636680000-7f8636681000
>     7f863690b000-7f863690c000
>     7f863690c000-7f8636915000
>     7f86383de000-7f8638441000
>     7fff42400000-7fff42421000
> [I] - dumping (may take some time)
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................/
>     ................................-
> [I] - dump succeeded
> [I] - raw result hexdump:
> // cut
> 000ae5f0  00 00 00 00 00 00 00 00  11 10 00 00 00 00 00 00
> |................|
> 000ae600  4c 69 6e 75 78 20 64 65  62 69 61 6e 2d 6d 61 73  |Linux
> debian-mas|
> 000ae610  74 65 72 20 33 2e 31 31  2d 30 2e 62 70 6f 2e 32  |ter
> 3.11-0.bpo.2|
> 000ae620  2d 61 6d 64 36 34 20 23  31 20 53 4d 50 20 44 65  |-amd64 #1
> SMP De|
> 000ae630  62 69 61 6e 20 33 2e 31  31 2e 31 30 2d 31 7e 62  |bian
> 3.11.10-1~b|
> 000ae640  70 6f 37 30 2b 31 20 28  32 30 31 33 2d 31 32 2d  |po70+1
> (2013-12-|
> 000ae650  31 37 29 20 78 38 36 5f  36 34 0a 0a 54 68 65 20  |17)
> x86_64..The |
> 000ae660  70 72 6f 67 72 61 6d 73  20 69 6e 63 6c 75 64 65  |programs
> include|
> 000ae670  64 20 77 69 74 68 20 74  68 65 20 44 65 62 69 61  |d with the
> Debia|
> 000ae680  6e 20 47 4e 55 2f 4c 69  6e 75 78 20 73 79 73 74  |n GNU/Linux
> syst|
> 000ae690  65 6d 20 61 72 65 20 66  72 65 65 20 73 6f 66 74  |em are free
> soft|
> 000ae6a0  77 61 72 65 3b 0a 74 68  65 20 65 78 61 63 74 20  |ware;.the
> exact |
> 000ae6b0  64 69 73 74 72 69 62 75  74 69 6f 6e 20 74 65 72
> |distribution ter|
> // cut
> 000bcf10  63 68 61 72 6c 79 00 78  00 31 30 30 30 3a 31 30
> |charly.x.1000:10|
> 000bcf20  30 30 3a 43 68 61 72 6c  79 20 61 64 6d 69 6e 2c  |00:Charly
> admin,|
> 000bcf30  2c 2c 00 2f 68 6f 6d 65  2f 63 68 61 72 6c 79 00
> |,,./home/charly.|
> 000bcf40  2f 62 69 6e 2f 62 61 73  68 00 00 6f 65 00 2f 75
> |/bin/bash..oe./u|
> 000bcf50  73 72 2f 62 69 6e 2f 7a  73 68 00 00 73 65 00 00
> |sr/bin/zsh..se..|
> 000bcf60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
> // cut
> 000be690  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
> |................|
> 000be6a0  ff ff ff ff ff ff ff ff  63 68 61 72 6c 79 00 24
> |........charly.$|
> 000be6b0  36 24 6f 62 6f 67 44 58  78 79 24 73 34 4d 6b 55
> |6$obogDXxy$s4MkU|
> 000be6c0  4c 43 6b 4c 58 2e 66 55  41 35 76 63 70 53 2f 67
> |LCkLX.fUA5vcpS/g|
> 000be6d0  66 4f 30 65 6f 33 2e 42  47 45 48 56 43 4d 74 33
> |fO0eo3.BGEHVCMt3|
> 000be6e0  55 55 57 77 52 46 69 47  6b 7a 4d 52 48 78 53 64
> |UUWwRFiGkzMRHxSd|
> 000be6f0  53 47 45 4f 37 57 31 6a  34 69 64 55 2e 5a 55 55
> |SGEO7W1j4idU.ZUU|
> 000be700  77 62 30 6e 43 6a 44 63  46 64 77 36 32 6f 6c 59
> |wb0nCjDcFdw62olY|
> 000be710  2e 00 31 36 31 39 30 3a  30 3a 39 39 39 39 39 3a
> |..16190:0:99999:|
> 000be720  37 3a 3a 3a 00 00 00 00  00 00 00 00 00 00 00 00
> |7:::............|
> 000bf0c0  61 31 2d 39 36 2d 65 74  6d 40 6f 70 65 6e 73 73
> |a1-96-etm@...nss|
> 000bf0d0  68 2e 63 6f 6d 2c 68 6d  61 63 2d 6d 64 35 2d 39
> |h.com,hmac-md5-9|
> 000bf0e0  36 2d 65 74 6d 40 6f 70  65 6e 73 73 68 2e 63 6f
> |6-etm@...nssh.co|
> 000bf0f0  6d 2c 68 6d 61 63 2d 6d  64 35 2c 68 6d 61 63 2d
> |m,hmac-md5,hmac-|
> 000bf100  73 68 61 31 2c 75 6d 61  63 2d 36 34 40 6f 70 65
> |sha1,umac-64@...|
> 000bf110  6e 73 73 68 2e 63 6f 6d  2c 75 6d 61 63 2d 31 32
> |nssh.com,umac-12|
> 000bf120  38 40 6f 70 65 6e 73 73  68 2e 63 6f 6d 2c 68 6d
> |8@...nssh.com,hm|
> 000bf130  61 63 2d 73 68 61 32 2d  32 35 36 2c 68 6d 61 63
> |ac-sha2-256,hmac|
> // cut
> 0024db80  35 33 20 33 61 20 36 35  20 20 7c 4c 41 4e 47 55  |53 3a 65
> |LANGU|
> 0024db90  41 47 45 3d 65 6e 5f 55  53 3a 65 7c 0a 30 30 30
> |AGE=en_US:e|.000|
> // cut
> 002516d0  36 39 20 36 66 20 36 65  20 20 7c 65 73 73 69 6f  |69 6f 6e
> |essio|
> 002516e0  6e 29 3a 20 73 65 73 73  69 6f 6e 7c 0a 30 30 30  |n):
> session|.000|
> 002516f0  63 32 61 33 30 20 20 32  30 20 36 66 20 37 30 20  |c2a30  20
> 6f 70 |
> 00251700  36 35 20 36 65 20 36 35  20 36 34 20 32 30 20 20  |65 6e 65 64
> 20  |
> 00251710  36 36 20 36 66 20 37 32  20 32 30 20 37 35 20 37  |66 6f 72 20
> 75 7|
> 00251720  33 20 36 35 20 37 32 20  20 7c 20 6f 70 65 6e 65  |3 65 72  |
> opene|
> 00251730  64 20 66 6f 72 20 75 73  65 72 7c 0a 30 30 30 63  |d for
> user|.000c|
> // cut
> 00251770  20 36 34 20 33 64 20 20  7c 20 63 68 61 72 6c 79  | 64 3d  |
> charly|
> 00251780  20 62 79 20 28 75 69 64  3d 7c 0a 30 30 30 63 32  | by
> (uid=|.000c2|
> 00251790  61 35 30 20 20 33 30 20  32 39 20 30 30 20 30 30  |a50  30 29
> 00 00|
> [I] - System users hashes (1):
>
> charly:$6$obogDXxy$s4MkULCkLX.fUA5vcpS/gfO0eo3.BGEHVCMt3UUWwRFiGkzMRHxSdSGEO7W1j4idU.ZUUwb0nCjDcFdw62olY.:16190:0:99999:7:::
> [I] - Done, exiting...
>
> $>
>
> =====
> Since we detected few exploitations tentatives of this vulnerability
> through
> our honeypots network, we concluded that an other team / organization
> discovered it and decided to sell it.
> (Yes, we build honeypots rules for our exploits)
>
> We don't have access to exploit black markets and we are now happy to
> offering
> it for sale to you both black and white hats.
>
> == How to buy ==
> Send 66666.6 BC (Blackcoin) to BLkrmaoY7XQfUUCSCJfHGq8tTig5qJmZXT
> or
> 2000000 WC (Whitecoin) to Wbi8SqBjymeedtNwM9zhaSm3bMnZvgifR2
> or
> 20 BTC (Bitcoin) to 14PEL35LQf81oCvSPurhoyTSvosvtQT7u3
>
> then send your transaction ID by mail to olckrrii3@...nmailbox.org and
> we will
> send you the download link and password. (PGP recommended)
>
> icanhaze.c sha1:d7faeb46f10ea6b7058a116043c1f0ce7a158c7f
>
> Please note that we are busy and we will NOT answer to questions, social
> engineering tentatives or dumb comments. Price is non-negotiable.
> ==
>
> Some teraoctets of custom pintools and ASAN traces give us many other
> vulnerabities to dig and work to do, see you soon for some news about :
> - - BIND
> - - Nginx
> - - Apache HTTPd
>
> . 1\-5\61\-J\48/a \~£\3|2\D6\ %%!%}).
> R.
>
> - -- CUT --
>
> Can anyone verify this?
>
> - --
> ==
>
> Don Alexander
>
> It's a tough job, but some mug has to do it...
>
> RooSoft Ltd
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlNpXWgACgkQuipFNInZ6evZZACghN8Fd6ZIXaDtgnmxvcxpd+MG
> DpEAn3iM0XdhZIe4U2cMYI6XrniZ7iBH
> =ZxbR
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ