1 |
Brian Micek wrote: |
2 |
> I don't mean to re-start an old topic, but would anyone happen to have |
3 |
> access to the source code for the second phase of the popular SSH |
4 |
> probes? The reason I'm interested in it is because I'd like to exploit |
5 |
> some weaknesses in the code and at least cause it to drop a core. |
6 |
|
7 |
IANAL. I am also not law enforcement. I'm also not a poser when it comes |
8 |
to security. |
9 |
|
10 |
I have spoken to law enforcement agencies from a number of countries about |
11 |
this specific issue on several occasions, and I've also spoken with |
12 |
attorneys about this specific idea in a couple of countries. You tread on |
13 |
very dangerous ground, and it's an immature and unwise approach. The fact |
14 |
is, defensive measures are generally not interpreted to include trying to |
15 |
exploit vulnerabilities in code operating on boxes you don't own or have |
16 |
authorization to attack. You'll exceed authorized access on someone else's |
17 |
system, if you're successful. It may cause a great deal of collateral damage. |
18 |
|
19 |
Your approach is ill-advised. It's also not all that wise as it could be |
20 |
used to lauch DoS against other sites, and may be capable of doing DoS |
21 |
against your site (MITM, forged syn, synack, ack sequences in two |
22 |
directions, linking the stream from your /dev/urandom dump (ie: chargen) to |
23 |
any port that will listen (echo). Chews up cycles, at a bare minimum... |
24 |
forever. |
25 |
|
26 |
> Currently, I have a service started by xinetd and close stdin on the |
27 |
> command line arguments to avoid hackers hacking my program. I run a |
28 |
> bash script as user "nobody" that basically looks like this (extra |
29 |
> extraneous stuff is removed): |
30 |
> |
31 |
> #!/bin/bash |
32 |
> function fakessh() { |
33 |
> echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service |
34 |
> /bin/cat /dev/urandom # and send random data |
35 |
> } |
36 |
> # Main follows - this is run as user "nobody" |
37 |
> fakessh <&- # Call the payload and (again) close stdin to avoid hacks |
38 |
> # EOF - fakessh |
39 |
> |
40 |
> The result for someone using a normal ssh client is: |
41 |
> UNIX> ssh localhost |
42 |
> Disconnecting: Bad packet length 3349376822. |
43 |
> |
44 |
> I am hoping to cause some kind of memory problem here and thats why I |
45 |
> need the source code. Another exploit to examine is what happens with |
46 |
> zero length packets if we cat /dev/zero. If there is nothing to exploit |
47 |
> here, I'll remove the "echo" line so I send random data until the hacker |
48 |
> client terminates his connection. |
49 |
> |
50 |
> Thank you, |
51 |
> Brian Micek |
52 |
|
53 |
|
54 |
-- |
55 |
William Yang |
56 |
wyang@××××.net |
57 |
-- |
58 |
gentoo-security@g.o mailing list |