Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: William Yang <wyang@...>
Subject: Re: SSH probes
Date: Sat, 05 Nov 2005 15:19:50 -0500
Brian Micek wrote:
> I don't mean to re-start an old topic, but would anyone happen to have 
> access to the source code for the second phase of the popular SSH 
> probes?  The reason I'm interested in it is because I'd like to exploit 
> some weaknesses in the code and at least cause it to drop a core.

IANAL.  I am also not law enforcement.  I'm also not a poser when it comes 
to security.

I have spoken to law enforcement agencies from a number of countries about 
this specific issue on several occasions, and I've also spoken with 
attorneys about this specific idea in a couple of countries.  You tread on 
very dangerous ground, and it's an immature and unwise approach.  The fact 
is, defensive measures are generally not interpreted to include trying to 
exploit vulnerabilities in code operating on boxes you don't own or have 
authorization to attack.  You'll exceed authorized access on someone else's 
system, if you're successful.  It may cause a great deal of collateral damage.

Your approach is ill-advised.  It's also not all that wise as it could be 
used to lauch DoS against other sites, and may be capable of doing DoS 
against your site (MITM, forged syn, synack, ack sequences in two 
directions, linking the stream from your /dev/urandom dump (ie: chargen) to 
any port that will listen (echo).  Chews up cycles, at a bare minimum... 
forever.

> Currently, I have a service started by xinetd and close stdin on the 
> command line arguments to avoid hackers hacking my program.  I run a 
> bash script as user "nobody" that basically looks like this (extra 
> extraneous stuff is removed):
> 
> #!/bin/bash
> function fakessh() {
>   echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service
>   /bin/cat /dev/urandom # and send random data
> }
> # Main follows - this is run as user "nobody"
> fakessh <&-  # Call the payload and (again) close stdin to avoid hacks
> # EOF - fakessh
> 
> The result for someone using a normal ssh client is:
> UNIX>  ssh localhost
> Disconnecting: Bad packet length 3349376822.
> 
> I am hoping to cause some kind of memory problem here and thats why I 
> need the source code.  Another exploit to examine is what happens with 
> zero length packets if we cat /dev/zero.  If there is nothing to exploit 
> here, I'll remove the "echo" line so I send random data until the hacker 
> client terminates his connection.
> 
> Thank you,
> Brian Micek


-- 
William Yang
wyang@...
-- 
gentoo-security@g.o mailing list


Replies:
Re: SSH probes
-- Brian Micek
References:
SSH probes
-- Brian Micek
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
SSH probes
Next by thread:
Re: SSH probes
Previous by date:
Re: [gentoo-security] SSH probes
Next by date:
Re: SSH probes


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.