Re: How to exploit gain root of OpenSSL?



El Viernes, 13 de Octubre de 2006 17:06, 09sparky@xxxxxxxxx escribió:
I am looking for a way to exploit (not dos) and gain root, if possible to
an old version of OpenSSL. Nessus results are: The remote host seems to be
running a version of OpenSSL which is older than 0.9.6k or 0.9.7c.

Does anyone have any suggestions?

Thanks,
sparky

If have this one:
* openssl-too-open.c - OpenSSL remote exploit
* Spawns a nobody/apache shell on Apache, root on other servers.

openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers).

If you're interested, contact me off the list.
Cheers
--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
    ... There are four remotely exploitable buffer overflows in OpenSSL. ... Several of these vulnerabilities could be used by a remote attacker to ... This vulnerability can be exploited by a client ... Exploitation of this vulnerability can lead to remote ...
    (Cert)
  • Re: Setting variables in a remote SSH shell.
    ... Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f ... remote, not to speak of being seen by the remote awk. ...
    (comp.unix.shell)
  • Multiple Vulnerabilities In OpenSSL
    ... OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2 ... OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled ... of these vulnerabilities could be used by a remote attacker to execute ...
    (comp.os.linux.security)
  • Re: ssh in ssl tunnel. risks ?
    ... spread using Apache (using OpenSSL). ... Outdated versions of OpenSSH have allowed remote root compromises more than ... which used to brag no remote vulnerabilities in default install. ... You can not just install OpenSSH and OpenSSL and forget about them; ...
    (comp.os.linux.security)
  • Re: nikto problems
    ... i noticed this problem a few weeks ago after some upgrades of openssl. ... i think libwhisker have some problems with the changes done in openssl. ... D: - Request Hash: ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)