RE: Betr.: RE: [Full-Disclosure] Automated ssh scanning

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 08/26/04

  • Next message: Ron DuFresne: "RE: !SPAM! [Full-Disclosure] Automated ssh scanning" 
    To: "Pascal Zoutendijk" <Pascal.Zoutendijk@tbwa.nl>
Date: Thu, 26 Aug 2004 12:50:55 -0500

    It could be, but he said it was patched. I didn't run the test of
    course.

    I never said it was the kernel however, it could be a service running.
    And unknown does not equal zero-day. But the tool got root and he
    doesn't know how. That is the point. Kernel, old service, whatever. It
    would be nice to find it.

    -----Original Message-----
    From: Pascal Zoutendijk [mailto:Pascal.Zoutendijk@tbwa.nl]
    Sent: Thursday, August 26, 2004 12:15 PM
    To: Todd Towles
    Subject: Betr.: RE: [Full-Disclosure] Automated ssh scanning

    Hi,

    Maybe I missed a point, but everybody seems to be focussing now on
    whether the kernel is vulnerable from a non privileged account. Couldn't
    it simply be that he forgot an SSH patch which caused the exploit?

    >>> "Todd Towles" <toddtowles@brookshires.com> 26-08-04 18:03 >>>
    I agree, so we are looking at a unknown local exploit for woody or we
    are all missing something.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Tig
    Sent: Thursday, August 26, 2004 9:28 AM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Automated ssh scanning

    On Thu, 26 Aug 2004 09:08:15 -0500 (CDT) Ron DuFresne
    <dufresne@winternet.com> wrote:

    >
    >
    > the real thing this user most likely suffered from was the weak
    > account passwd double, guest:guest. Now, if the admin and other
    > account were setup with strong passwd's and this account was either
    > setup with a strong passwd or not setup at all might be a better test
    > of the stability of ssh and the debain setup in question.
    >
    > Thanks,
    >
    > Ron DuFresne
    >

    I think some people are not really reading or understanding what is
    going on. The box was a default install with one or two weak passwords
    for _user_ accounts and a _strong_ password for the root.

    Withing a short while, the root account was compromised, after the weak
    user account was broken. I suggest people re-read what Richard Verwayen
    has been saying (in German English, but still very readable :])

    Basically, if you have a weak password on a user account, your root
    account on a Debain box is screwed, other *nix distros maybe as well.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _____________________________________________________________________
    This message has been checked for all known viruses.

    _____________________________________________________________________
    This message has been checked for all known viruses.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Ron DuFresne: "RE: !SPAM! [Full-Disclosure] Automated ssh scanning"

    Relevant Pages
    • Quantcast