|
Vulnerability Development
mailing list archives
Re: SSH2 Exploit?
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 7 Mar 2002 07:56:15 -0600
This is a ssh1 crc32 auto-rooter, courtesy of incident response:
http://www.digitaloffense.net/autossh.tgz
You have 24 hours to grab a copy before I remove it. I have not checked the
contained binaries for trojans or virii yet, so please dont run them unless
you verify them yourself. An auto-rooter would not be created if the exploit
it used (x2) doesn't work...
On Wednesday 27 February 2002 08:10 pm, Ron DuFresne wrote:
There's nothing here that actually suggests the systems were compromised
via sshd, neither sshd1 nor sshd2. Nor is there an actual accounting of
what other services were open for possible exploit on the systems in
question. Nothing about the kernels chosen and possible problems there,
nor if the systems were acutally remotely exploited of if <as is much more
possible> that an internal user on the systems actually rooted the
systems. I have seen code to scan for sshd1, seen the traces in my logs,
and there have been hints of possible sshd1 exploit code ciculating for
awhile now, with no real evicdence presented there is such an exploit in
use that works remotely. Those exploits of sshd1 that have been suggested
are far above the needs and skills of simple skript-kiddies though. SSHD2
that I've seen vulnerabilites mentioned for though are those that include
sshd1 support, so, if there is real evidence of an sshd2 remote exploit or
even a remote sshd1 exploit in acutal use, then, I'd certainly like to see
the code or binaries in question. Otherwie, we only have rumrrs of such
and most likely have systems hacked via other vectors that are used to
scan for possibly exploitable sshd's, and these scans are possibly placed
for scare tactics or diversion from the real purpose of the rooting that
has taken place.
Thanks,
Ron DuFresne
 By Date 
By Thread
Current thread:
|
Intro
