(english) Security vulnerability in sshd2 <= 2.0.11 allows remote attacker to make repeated brute force attempts on the login/passwd without being logged. Fixed in sshd2 >= 2.0.12.
db162d27acdda51744563dec6172c820f16099310d31eb4b1f8a84bb22de5e16
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: 05/09/1999
Release: 05/14/1999
Author: Zhodiac <zhodiac@jjf.org>
URL: http://www.jjf.org
Application: sshd2 up to 2.0.11
OS: Unix
Risk: Risky :), long term could gain system access.
-=-=-=-=-=-=-=-=
Introduction
-=-=-=-=-=-=-=-=
In the default instalation of sshd2 (up to 2.0.11) there is an
open way to bruteforce a login/password, without any kind of ip logging
by the sshd. Version 2.0.12 and newers seems to be not vulnerable to
this attack, because it logs the ip at connection time.
-=-=-=-=-=-=-=-=
Details
-=-=-=-=-=-=-=-=
When a ssh client connects to the daemon, it has a number
(default is three) of attempts to guess the correct password before
disconnecting. If we shutdown the connection before using up the number
of attempts, the daemon will not log neither the connection, the
password guesses nor the ip of the client.
One cristal clear example:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password:
Disconnected; authentication error.
[zhodiac@piscis zhodiac]$
In /var/log/messages:
May 9 12:42:53 piscis sshd2[1391]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1344', requested service 'ssh-connection')'
Now we try the bug:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$
Those "FATAL: Received signal2." are the response of
interrupting the program with a ^C.
Lets see what syslog did:
May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection
closed.
May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection
closed.
May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection
closed.
No ip, no password guesses attempts on the logs!
So a bruteforce can be done without any kind of logging... Sorry
script-kiddies, no program available!
-=-=-=-=-=-=-=-=
Quick Fix
-=-=-=-=-=-=-=-=
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1. With this each time a password is tried it
will log it in the following way:
May 9 12:46:07 piscis sshd[1308]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1527', requested service 'ssh-connection')'
It is also recommended to set the value of "ListenAddress" so we
will have more control of which ips can use our ssh service.
A better solution is to upgrade to 2.0.12 version or newer , with
them at connection it will log via syslog in the following way:
May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
zhodiac@jjf.org
http://www.jjf.org
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed