SshdJJFen.txt

`  
  
- J.J.F. / Hackers Team - Security Advisory  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
Date: 05/09/1999  
Release: 05/14/1999  
Author: Zhodiac <[email protected]>  
URL: http://www.jjf.org  
Application: sshd2 up to 2.0.11  
OS: Unix   
Risk: Risky :), long term could gain system access.  
  
-=-=-=-=-=-=-=-=  
Introduction  
-=-=-=-=-=-=-=-=  
  
In the default instalation of sshd2 (up to 2.0.11) there is an  
open way to bruteforce a login/password, without any kind of ip logging  
by the sshd. Version 2.0.12 and newers seems to be not vulnerable to  
this attack, because it logs the ip at connection time.  
  
-=-=-=-=-=-=-=-=  
Details  
-=-=-=-=-=-=-=-=   
  
When a ssh client connects to the daemon, it has a number  
(default is three) of attempts to guess the correct password before  
disconnecting. If we shutdown the connection before using up the number  
of attempts, the daemon will not log neither the connection, the  
password guesses nor the ip of the client.  
  
One cristal clear example:  
  
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis  
zhodiac's password:   
zhodiac's password:  
zhodiac's password:  
  
Disconnected; authentication error.  
[zhodiac@piscis zhodiac]$   
  
In /var/log/messages:  
  
May 9 12:42:53 piscis sshd2[1391]: User authentication failed:  
'Authentication method disabled. (user 'zhodiac', client address  
'192.168.1.1:1344', requested service 'ssh-connection')'  
  
Now we try the bug:  
  
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis  
zhodiac's password:  
zhodiac's password:  
zhodiac's password: FATAL: Received signal 2.  
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis  
zhodiac's password:  
zhodiac's password:  
zhodiac's password: FATAL: Received signal 2.  
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis  
zhodiac's password:  
zhodiac's password:  
zhodiac's password: FATAL: Received signal 2.  
[zhodiac@piscis zhodiac]$   
  
Those "FATAL: Received signal2." are the response of  
interrupting the program with a ^C.  
  
Lets see what syslog did:  
  
May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection  
closed.  
May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection  
closed.  
May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection  
closed.  
  
No ip, no password guesses attempts on the logs!  
So a bruteforce can be done without any kind of logging... Sorry  
script-kiddies, no program available!  
  
-=-=-=-=-=-=-=-=  
Quick Fix  
-=-=-=-=-=-=-=-=  
  
Edit the file sshd2_config (usually at /etc/ssh2), set the value  
of "PasswordGuesses" to 1. With this each time a password is tried it  
will log it in the following way:  
  
May 9 12:46:07 piscis sshd[1308]: User authentication failed:  
'Authentication method disabled. (user 'zhodiac', client address  
'192.168.1.1:1527', requested service 'ssh-connection')'  
  
It is also recommended to set the value of "ListenAddress" so we  
will have more control of which ips can use our ssh service.  
  
A better solution is to upgrade to 2.0.12 version or newer , with  
them at connection it will log via syslog in the following way:  
  
May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
[email protected]  
  
http://www.jjf.org  
- J.J.F. / Hackers Team - Security Advisory  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
`