| 1 |
Brian Micek wrote: |
| 2 |
> I don't mean to re-start an old topic, but would anyone happen to have |
| 3 |
> access to the source code for the second phase of the popular SSH |
| 4 |
> probes? The reason I'm interested in it is because I'd like to exploit |
| 5 |
> some weaknesses in the code and at least cause it to drop a core. |
| 6 |
|
| 7 |
IANAL. I am also not law enforcement. I'm also not a poser when it comes |
| 8 |
to security. |
| 9 |
|
| 10 |
I have spoken to law enforcement agencies from a number of countries about |
| 11 |
this specific issue on several occasions, and I've also spoken with |
| 12 |
attorneys about this specific idea in a couple of countries. You tread on |
| 13 |
very dangerous ground, and it's an immature and unwise approach. The fact |
| 14 |
is, defensive measures are generally not interpreted to include trying to |
| 15 |
exploit vulnerabilities in code operating on boxes you don't own or have |
| 16 |
authorization to attack. You'll exceed authorized access on someone else's |
| 17 |
system, if you're successful. It may cause a great deal of collateral damage. |
| 18 |
|
| 19 |
Your approach is ill-advised. It's also not all that wise as it could be |
| 20 |
used to lauch DoS against other sites, and may be capable of doing DoS |
| 21 |
against your site (MITM, forged syn, synack, ack sequences in two |
| 22 |
directions, linking the stream from your /dev/urandom dump (ie: chargen) to |
| 23 |
any port that will listen (echo). Chews up cycles, at a bare minimum... |
| 24 |
forever. |
| 25 |
|
| 26 |
> Currently, I have a service started by xinetd and close stdin on the |
| 27 |
> command line arguments to avoid hackers hacking my program. I run a |
| 28 |
> bash script as user "nobody" that basically looks like this (extra |
| 29 |
> extraneous stuff is removed): |
| 30 |
> |
| 31 |
> #!/bin/bash |
| 32 |
> function fakessh() { |
| 33 |
> echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service |
| 34 |
> /bin/cat /dev/urandom # and send random data |
| 35 |
> } |
| 36 |
> # Main follows - this is run as user "nobody" |
| 37 |
> fakessh <&- # Call the payload and (again) close stdin to avoid hacks |
| 38 |
> # EOF - fakessh |
| 39 |
> |
| 40 |
> The result for someone using a normal ssh client is: |
| 41 |
> UNIX> ssh localhost |
| 42 |
> Disconnecting: Bad packet length 3349376822. |
| 43 |
> |
| 44 |
> I am hoping to cause some kind of memory problem here and thats why I |
| 45 |
> need the source code. Another exploit to examine is what happens with |
| 46 |
> zero length packets if we cat /dev/zero. If there is nothing to exploit |
| 47 |
> here, I'll remove the "echo" line so I send random data until the hacker |
| 48 |
> client terminates his connection. |
| 49 |
> |
| 50 |
> Thank you, |
| 51 |
> Brian Micek |
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
William Yang |
| 56 |
wyang@××××.net |
| 57 |
-- |
| 58 |
gentoo-security@g.o mailing list |
Archives