[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!*
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!*
- From: "Brian Dinello" <brian.dinello@xxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Sep 2003 11:38:24 -0400
Just to add to the readily growing list of stupid things this "exploit"
does, it set off my Snort IDS when attemping to root my test box. Looks
like it _may_ actually incorporate some shell code in a REALLY old CRC32
overflow from 2001. Here's the CVE link, if anyone's interested:
And the snort sig that it hit:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326;
And the systems that it _may_ be able to affect/infect:
Affected Systems:
OpenSSH versions prior to 2.2
Multiple Cisco network devices
Multiple Netscreen network devices
SSH Secure Communications prior to 1.2.31
Needless to say, I doubt anyone will soon be reporting any instances of
this piece of code actually doing anything to a remote host.
Brian Dinello, CISSP
-----Original Message-----
From: Adam Balogh [mailto:adam@xxxxxxxxxxx]
Posted At: Friday, September 19, 2003 8:59 AM
Posted To: Full Disclosure
Conversation: [Full-Disclosure] Re: new openssh exploit in the wild!
*isFAKE AS SH@!*
Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild!
*isFAKE AS SH@!*
Probably a scriptkiddie or some random idiot. The fun part was it came
up totally different offsets then i mean TOTALLY different each time you
ran it and if you gave it a offset it would "work" no matter what. For
those people who ran it.. change all your
passwords. :)
Vitaly Osipov wrote:
On Fri, 2003-09-19 at 14:21, V.O. wrote:
> Yeah, I missed the fact that after "calculating" the offset it starts
> to "exploit" in the same way as if it was given an offset as a
> parameter. Anyway, I simply wanted to note that whoever posted it here
> was either knowingly lying about its purpose or not having a clue
> about UNIX at all :)
> W.
> ----- Original Message -----
> From: "Adam Balogh" <adam@xxxxxxxxxxx>
> To: "Full Disclosure" <full-disclosure@xxxxxxxxxx>
> Sent: Friday, September 19, 2003 9:47 PM
> Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! *
> AS SH@!*
> > Vitaly Osipov wrote:
> > > which is obviously not true. Btw as far as I understand, the
> > > troyan code
> is triggered when
> > > the "exploit" is run with the offset specified, and not in a
> "bruteforcing" mode.
> > >
> > > W.
> >
> > Me and my friend tried to run it on a lab-box thats not connected
> > directly to internet and doesnt relay mails. It doesn't use that
> > special offset as a trigger. We got so many "sys3" accounts in
> > /etc/passwd as many times we ran it plus those outgoing-mails que'd.
> >
> > /Adam Balogh
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html