SSH Exploits are currently available in various forms: 1) General Stack Based exploits. Also called Boundary Protection BOE's. Check your version. Most older versions have been fixed: http://secunia.com/advisories/search/?search=ssh+buffer+overflow 2) Protocol 1 exploits. (Check your Version) configure /etc/ssh/sshd_config to use Protocol 2. 3) Kerberos exploits - authentication when compiled against various insecure Kerberos. Check your version; these affect older versions of SSH or unpatched systems. Description of exploit: http://kerneltrap.org/node/160 4) Random PRNG entropy SSL/SSH - announced in 2006 by a team of university students, this problem with random number generation allows the attacker to guess the key generation and affected nearly all versions of SSL/SSH - including routers/switches/firewalls and custom mail applictions. Debian/Ubuntu descriptions from CERT: http://www.debian.org/security/2008/dsa-1571" http://www.debian.org/security/2008/dsa-1576" http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-2 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-4 http://www.ubuntu.com/usn/usn-612-5 http://www.ubuntu.com/usn/usn-612-6 http://www.kb.cert.org/vuls/id/925211 5) Challenge and Response - allows escalated privileges upon overflow of the buffer: Description and versions affected: http://www.juniper.net/security/auto/vulnerabilities/vuln5093.html Example Script that exploits SSH challenge response [see no die there then the overflow payload?]: http://www.milw0rm.org/exploits/6804 BlackHat Training: http://www.blackhat.com/html/bh-europe-07/train-bh-eu-07-ss-el.html Metasploit (comes setup on BackTrack) includes a few examples for SSH exploit training: http://www.metasploit.com/ NOTE: This information has been intentionally obfuscated using intellectualism to filter out the less evolved crackers in favor of providing security tools to responsible professionals systems hackers [ builders troubleshooters and ethical users]. http://wapedia.mobi/en/Obnosis | http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452 > Date: Thu, 30 Oct 2008 00:49:53 -0700 > From: PLUGd@LuftHans.com > To: plug-discuss@lists.plug.phoenix.az.us > Subject: Re: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You > > Am 30. Okt, 2008 schwätzte Lisa Kachold so: > > > SSH buffer overflow exploit - season to taste: > > http://www.milw0rm.org/exploits/6804 > > Looks like this one is exploiting after authenticating as root. I presume > the idea is that you could auth as someone else and still get root access. > > my $user = "root"; > my $pass = "yahh"; > > $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n"; > > Was a die left out? > > $ssh2->connect($ip, $port) || die "[-] Unable to connect!\n"; > > > History: > > > > OpenSSH Challenge Response Buffer Overflow: http://www.securityfocus.com/bid/5093 > > > > Report 2001 - updated last Nov 05 2007 02:45PM > > Other boundary exploits, kerberos, auth and encryption exploits and overflows exist making encroachment via SSH trivial. > > It's been almost a year since the update with no update on the update :(. > > Everybody was too busy reacting to the debian problem? > > ### > **UPDATE: One of these issues is trivially exploitable and is still > present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been > confirmed, administrators are advised to implement the OpenSSH > privilege-separation feature as a workaround. > ### > > I'd think the OpenBSD guys would have denied or confirmed this. > > /me switches back to telnet. ;-) > > ciao, > > der.hans > -- > # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/ > # "If I want my children to work hard, I better be the hardest working > # person they've ever met. If I want the children to be nice, I better > # be the kindest human being they've ever met." -- Rafe Esquith _________________________________________________________________ You live life beyond your PC. So now Windows goes beyond your PC. http://clk.atdmt.com/MRT/go/115298556/direct/01/