SSH Exploits are currently available in various forms:
1) General Stack Based exploits. Also called Boundary Protection BOE's. Check your version.
Most older versions have been fixed:
http://secunia.com/advisories/search/?search=ssh+buffer+overflow
2) Protocol 1 exploits. (Check your Version) configure /etc/ssh/sshd_config to use Protocol 2.
3) Kerberos exploits - authentication when compiled against various insecure Kerberos. Check your version; these affect older versions of SSH or unpatched systems.
Description of exploit: http://kerneltrap.org/node/160
4) Random PRNG entropy SSL/SSH - announced in 2006 by a team of university students, this problem with random number generation allows the attacker to guess the key generation and affected nearly all versions of SSL/SSH - including routers/switches/firewalls and custom mail applictions.
Debian/Ubuntu descriptions from CERT:
http://www.debian.org/security/2008/dsa-1571" http://www.debian.org/security/2008/dsa-1576" http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-2 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-4 http://www.ubuntu.com/usn/usn-612-5
http://www.ubuntu.com/usn/usn-612-6 http://www.kb.cert.org/vuls/id/925211
5) Challenge and Response - allows escalated privileges upon overflow of the buffer:
Description and versions affected:
http://www.juniper.net/security/auto/vulnerabilities/vuln5093.html
Example Script that exploits SSH challenge response [see no die there then the overflow payload?]:
http://www.milw0rm.org/exploits/6804
BlackHat Training:
http://www.blackhat.com/html/bh-europe-07/train-bh-eu-07-ss-el.html
Metasploit (comes setup on BackTrack) includes a few examples for SSH exploit training:
http://www.metasploit.com/
NOTE: This information has been intentionally obfuscated using intellectualism to filter out the less evolved crackers in favor of providing security tools to responsible professionals systems hackers [<sic> builders troubleshooters and ethical users].
http://wapedia.mobi/en/Obnosis | http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
> Date: Thu, 30 Oct 2008 00:49:53 -0700
> From: PLUGd@LuftHans.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: HackFest Series: "Is it safe yet" or SSH Buffer Overflows and You
>
> Am 30. Okt, 2008 schwätzte Lisa Kachold so:
>
> > SSH buffer overflow exploit - season to taste:
> > http://www.milw0rm.org/exploits/6804
>
> Looks like this one is exploiting after authenticating as root. I presume
> the idea is that you could auth as someone else and still get root access.
>
> my $user = "root";
> my $pass = "yahh";
>
> $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
>
> Was a die left out?
>
> $ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
>
> > History:
> >
> > OpenSSH Challenge Response Buffer Overflow: http://www.securityfocus.com/bid/5093
> >
> > Report 2001 - updated last Nov 05 2007 02:45PM
> > Other boundary exploits, kerberos, auth and encryption exploits and overflows exist making encroachment via SSH trivial.
>
> It's been almost a year since the update with no update on the update :(.
>
> Everybody was too busy reacting to the debian problem?
>
> ###
> **UPDATE: One of these issues is trivially exploitable and is still
> present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been
> confirmed, administrators are advised to implement the OpenSSH
> privilege-separation feature as a workaround.
> ###
>
> I'd think the OpenBSD guys would have denied or confirmed this.
>
> /me switches back to telnet. ;-)
>
> ciao,
>
> der.hans
> --
> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
> # "If I want my children to work hard, I better be the hardest working
> # person they've ever met. If I want the children to be nice, I better
> # be the kindest human being they've ever met." -- Rafe Esquith
You live life beyond your PC. So now Windows goes beyond your PC. See how