SSH2 Exploit?

From: John Compton (johny_compton@hotmail.com)
Date: 02/26/02

Previous message: Ehud Tenenbaum: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"
Next in thread: Teodor Cimpoesu: "Re: SSH2 Exploit?"
Reply: Teodor Cimpoesu: "Re: SSH2 Exploit?"
Reply: Sten: "Re: SSH2 Exploit?"
Reply: Ron DuFresne: "Re: SSH2 Exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "John Compton" <johny_compton@hotmail.com>
To: vuln-dev@securityfocus.com
Date: Tue, 26 Feb 2002 07:10:39 +0000

Hi,

I recently had a break-in on a redhat linux system. The attacker installed
what appears to be torn kit, but there was one thing which caught my
attention. I found a binary named "sshex" on the compromised system. I
guess this is the exploit used to break in cause most of the servers here
are kept up-to-date. The system was being used to actively scan for ssh
servers.

[root@testbox ]# ./sshex

7350ylonen - x86 ssh2 <= 3.1.0 exploit
dream team teso
usage: 7350ylonen [-hd] <-p port> <-t target> <-d packet_delay> host

RH 7.x - SSH-2.0-3.x SSH Secure Shell
RH 7.x - SSH-2.0-2.x SSH Secure Shell
RH 6.x - SSH-2.0-2.x SSH Secure Shell
Slack 8.0 - SSH-2.0-3.x SSH Secure Shell
SuSE-7.3 - SSH-2.0-3.x SSH Secure Shell
FreeBSD 4.3 - SSH-2.0-3.x SSH Secure Shell
FreeBSD 4.3 - SSH-2.0-2.x SSH Secure Shell

It tries to connect to port 22 when I target localhost, but I can't tell if
sshd is crashing or not as I can't use gdb to attach to the process in time.
The only SSH vulnerabilities I could find affected SSH1 servers, or
OpenSSH. Has anyone else found this exploit on their systems or know
something about it?

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Previous message: Ehud Tenenbaum: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"
Next in thread: Teodor Cimpoesu: "Re: SSH2 Exploit?"
Reply: Teodor Cimpoesu: "Re: SSH2 Exploit?"
Reply: Sten: "Re: SSH2 Exploit?"
Reply: Ron DuFresne: "Re: SSH2 Exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: FreeBSD, SSH and "Enter Authentication Response"
... I'm using a minimal FreeBSD install and SSH Secure Shell client ... sshd auth sufficient pam_skey.so ...
(freebsd-questions)
teso ssh2.0 exploit ?
... RH 7.x - SSH-2.0-2.x SSH Secure Shell ... FreeBSD 4.3 - SSH-2.0-3.x SSH Secure Shell ... the full posting is here: http://online.securityfocus.com/archive/82/258238 ...
(comp.security.ssh)
teso ssh2.0 exploit ?
... RH 7.x - SSH-2.0-2.x SSH Secure Shell ... FreeBSD 4.3 - SSH-2.0-3.x SSH Secure Shell ... the full posting is here: http://online.securityfocus.com/archive/82/258238 ...
(comp.security.ssh)