[23144] in bugtraq
Re: Analysis of SSH crc32 compensation attack detector exploit
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Wed Nov 14 17:18:54 2001
Date: Wed, 14 Nov 2001 10:21:49 -0800 (PST)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: BUGTRAQ@securityfocus.com,
Incidents Mailing List <INCIDENTS@securityfocus.com>,
<unisog@sans.org>
In-Reply-To: <Pine.LNX.4.40.0111082143010.15991-100000@shiva0.cac.washington.edu>
Message-ID: <Pine.LNX.4.40.0111131844400.27957-100000@shiva0.cac.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 8 Nov 2001, Dave Dittrich wrote:
> ==========================================================
> Analysis of SSH crc32 compensation attack detector exploit
> ==========================================================
I received comments from a number of people about identification
of "affected" SSH servers. One such message is here:
From markus@openbsd.org Tue Nov 13 18:43:41 2001
Date: Sun, 11 Nov 2001 14:35:31 +0100
Subject: Re: Analysis of SSH crc32 compensation attack detector exploit
From: Markus Friedl <markus@openbsd.org>
To: Dave Dittrich <dittrich@cac.washington.edu>
. . .
> are quite visible (remember, this is stock SSH.com 1.2.31 on
> Red Hat Linux 6.0 -- syslog signatures for OpenSSH were not obtained
> in this analysis):
with OpenSSH you would only see the 'fatal:' messages,
the 'Connection from' will not be displayed in the default
configuration.
> One final point. Note the last syslog entry. The successful exploit
> causes an authentication attempt to pause while the shell code back door
> becomes active. You can connect to the shell and do whatever you
> want. Only problem is, the original SSH daemon (at least with SSH.com
> 1.2.31) will timeout when the authentication doesn't complete, and the
> shell will be terminated.
same applies to openssh and probably all ssh-1.x versions.
the rules are simpler:
1) protocol 2 only
all
SSH-2.0-*
are not affected, since no protocol v1 is iisnvolved.
2) protocol 1 und 2 support
since
SSH-1.99-*
supports both protocol versions, it gets more difficult.
for the commercial server, you never know the version
of the server that will be called for the fallback,
you have to assume that all
SSH-1.99-[23]*
are affected, and
SSH-1.99-OpenSSH[-_].x.y
are affected for versions x.y < 2.3
3) protocol 1 only
SSH-1.5-OpenSSH[-_].x.y
is affected versions x.y < 2.3
and the commercial versions.
SSH-1.5-1.2.2[456789]
SSH-1.5-1.2.3[01]
so:
[updates to table removed]
-markus
The analysis has been updated to reflect this, and the script
modified somewhat. The most recent version can be found at:
http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
--
Dave Dittrich Computing & Communications
dittrich@cac.washington.edu University Computing Services
http://staff.washington.edu/dittrich University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
