++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! NEW REMOTE HOLE FOUND IN OPENSSH! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PRODUCT ******* OpenSSH website: http://www.openssh.org BACKGROUD ********* OK as usual GOBBLES have a quick paste from vendor website describing the product for you in the case of that you do not already know what is the OpenSSH. [OpenSSH] OpenSSH 3.0.1 released November 15, 2001. Contains support for SSH1 and SSH2 protocols. OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. So if you do not understand it now GOBBLES will explain that OpenSSH is a free and not commercial version of SSH (hence it is called OpenSSH not ssh dot commercial) which allows encryption of network protocols and similar things so that no more data can be transmitted plaintext to fall victim to evil sniffing programs to collect passwords and other information which can be used in sophisticated attacks against networks and computers and users connected to the networks. Anyhow here is how GOBBLES came to start researching the security of the OpenSSH. Lately on securityfocus.com GOBBLES have been reading a lot about the old OpenSSH crc32 backdoor and the security of SSH in general has been questioned. GOBBLES thinks that people should realize that the SECURE from SECURE SHELL means that the communications are secure and are not easily monitored and does not mean that the program itself is secure and bugfree. Then GOBBLES was on his favorite security website one day which is http://www.packetstormsecurity.org and GOBBLES did see: .: file detail File Name File Size Last Modified openssh-3.0.1p1.tar.gz 780980 Nov 19 11:31:11 2001 This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. Changes: Fixed a security hole that may allow an attacker to authenticate if -- and only if -- the administrator has enabled KerberosV. Full changelog available here. Homepage: http://www.openssh.com/. By Damien Miller Back to the Home Page Hehehe see where it say "all known security bugs fixed" is what made GOBBLES want to see if GOBBLES could find any new security bugs and of course GOBBLES did otherwise why would this advisory be written? SECURITY HISTORY **************** GOBBLES think the most prominant OpenSSH bug known in history is the famous CORE SDI backdoor which is so significant of a bug that it is the only bug in OpenSSH that has been known to this time that is worthy of being mentioned here. Here GOBBLES have some links to about it for you! http://www.core-sdi.com/pressroom/advisories_desplegado.php?idx=81&idxsection=10 http://packetstorm.decepticons.org/0102-exploits/ssh1.crc32.txt http://packetstorm.decepticons.org/0102-exploits/sshdexpl.diff.gz http://packetstorm.decepticons.org/0103-exploits/openssh-2.2.0-exp.tgz and many others but too many for GOBBLES to list here because by now you get the ideas hehehe! VERSIONS AFFECTED ***************** For this exercise GOBBLES did use the latest OpenSSH version 3.0.1p1 and also did GOBBLES check earlier 2.9 versions to find that yes indeed the bug is there too, but GOBBLES did not go back and investigate any further than the 2.9 and 3.0 versions of the OpenSSH. Not tested by GOBBLES is SSH dot COMMERCIAL version of OpenSSH which may or may not be able to be attacked in a such a way as GOBBLES will soon disclose to you! THE PROBLEM *********** First GOBBLES think you need to understand what is sftp which is secure ftp so now GOBBLES will take a look at some manpages for you so you can read them. from man sftp GOBBLES does present the following paste: SFTP(1) System Reference Manual SFTP(1) NAME sftp - Secure file transfer program SYNOPSIS sftp [-1Cv] [-b batchfile] [-F ssh_config] [-o ssh_option] [-s subsystem | sftp_server] [-S program] host sftp [[user@]host[:file [file]]] sftp [[user@]host[:dir[/]]] DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also use many features of ssh, such as public key authentication and compres- sion. sftp connects and logs into the specified host, then enters an in- teractive command mode. The second usage format will retrieve files automatically if a non-inter- active authentication method is used; otherwise it will do so after suc- cessful interactive authentication. The last usage format allows the sftp client to start in a remote direc- tory. So now it is you understand what sftp is for but GOBBLES explain it again in in more clear terms so that some other penetrators might get to understand it better basically sftp is programs to be used with sshd to send files over encryption so that people can't use evil programs like filesnarf to intercept your ftp transfers and also they can not sniff and steal your passwords to the systems either since they are all done over ssh communications when using sftp. GOBBLES think sftp is nicer for that than ftp because of no plaintext and even ftp that uses ssl is still vulnerable to clever modifications of ettercap from http://ettercap.sourceforge.net. But GOBBLES did find a major security hole in the sftp which is now fully disclosed. First GOBBLES demonstrate the hole to you. root@localhost:~# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_3.0.1p1 Protocol mismatch. Connection closed by foreign host. root@localhost:~# adduser Login name for new user []: sftpsucks User id for sftpsucks [ defaults to next available]: Initial group for sftpsucks [users]: Additional groups for sftpsucks (seperated with commas, no spaces) []: sftpsucks's home directory [/home/sftpsucks]: sftpsucks's shell [/bin/bash]: sftpsucks's account expiry date (YYYY-MM-DD) []: OK, I'm about to make a new account. Here's what you entered so far: New login name: sftpsucks New UID: [Next available] Initial group: users Additional groups: [none] Home directory: /home/sftpsucks Shell: /bin/bash Expiry date: [no expiration] This is it... if you want to bail out, hit Control-C. Otherwise, press ENTER to go ahead and make the account. Making new account... Changing the user information for sftpsucks Enter the new value, or press return for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Changing password for sftpsucks Enter the new password (minimum of 5, maximum of 127 characters) Please use a combination of upper and lower case letters and numbers. New password: Bad password: too simple. Warning: weak password (enter it again to use it anyway). New password: Re-enter new password: Password changed. Done... root@localhost:~# last sftpsucks wtmp begins Tue Sep 18 16:18:28 2001 root@localhost:~# sftp sftpsucks@localhost Connecting to localhost... sftpsucks@localhost's password: Permission denied, please try again. sftpsucks@localhost's password: sftp> cd /etc sftp> get passwd Fetching /etc/passwd to passwd sftp> QUIT root@localhost:~# last sftpsucks wtmp begins Tue Sep 18 16:18:28 2001 root@localhost:~# As you can see that when GOBBLES uses sftp that it do not log to utmp like ftp would so it would look like no one is on the system, so if an evil penetrator does sniff a pop3 password that he can now have full access to all files on the system without raising any alarms because clever admin who run 'watch w' on their tty to see who is sneaking around they system will not know an intruder is there like they would with the ftp. Also GOBBLES know from neohapsis.com thread called "SFTP + Chroot" that the sftp is not chrooted like real ftp server so that now the attacker have access to all files in / with permissions set for the uid of the sniffed pop3 password account, more on this can be found from thread: http://archives.neohapsis.com/archives/sf/linux/2001-q4/0260.html For the credit of the OpenSSH sftp programmers GOBBLES does note that sftp do write to syslog see here from grep and paste: messages:Nov 26 21:04:18 localhost sshd[16833]: subsystem request for sftp messages:Nov 26 22:40:08 localhost sshd[25665]: Failed password for sftpsucks from 127.0.0.1 port 1588 ssh2 messages:Nov 26 22:40:37 localhost sshd[25669]: Accepted password for sftpsucks from 127.0.0.1 port 1589 ssh2 messages:Nov 26 22:40:37 localhost sshd[25669]: subsystem request for sftp But GOBBLES know that a clever attacker can just grep -v this after he gain root. Oh, GOBBLES did not explain how to get root from this exploit yet, hehehe well here is how. See in example how GOBBLES is able to get /etc/passwd downloaded from sniffed pop3? Well if idiot administrator does not use modern shadow techniques on he system GOBBLES could now use password cracker to gain root password and then control of the system. More clever attacks that GOBBLES can think of include sending a copy of netcat and cgi script and upload it then run it to get shell access without anyone seeing then doing evil work like ptrace to get root on a system without anyone even seeing then grep -v the pesky /var/log/messages and no one would ever know the intruder was there. Hehe GOBBLES suggest that the name SECURE SHELL to be changed to SECURE COMMUNICATIONS SHELL so it is not misleading about the security status of the bugfilled program. VENDOR NOTIFICATION STATUS ************************** Lead OpenBSD developer Theo de Ratt have been notified via email by GOBBLES about this hole and suspect that it soon be fixed to log in a secure fashion. SUGGESTED WORKAROUNDS ********************* Until patch for OpenSSH is issued GOBBLES suggest that everyone just killall -9 sshd and wait for security update patch to be added for logging sftp in the proper fashion. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, and all our friends and family. GOBBLES still have not received any clarification from the Legions of the Underworld Leader Digital Ebola about issuing statements to the underground on public websites. GOBBLES wonder what happen next, a message board for the underground to talk about their motives publically for the media to read and write about? Hehehe GOBBLES does not think this is a very underground practice because why should the underground really want the rest of the world to know what they are thinking?