Analysis of SSH crc32 compensation attack detector exploit
Source: Linux Security
On October 6, 2001, intruders originating from network blocks in the Netherlands used an exploit for the crc32 compensation attack detector vulnerability to remotely compromise a Red Hat Linux system on the UW network running OpenSSH 2.1.1. David Dittrich thoroughly analizes the attack as it happened on a network for which he is responsible.
==========================================================
Analysis of SSH crc32 compensation attack detector exploit
==========================================================
Copyright (C) 2001, David A. Dittrich
Thu Nov 8 23:31:20 PST 2001
Summary of incident
===================
On October 6, 2001, intruders originating from network blocks
in the Netherlands used an exploit for the crc32 compensation attack
detector vulnerability to remotely compromise a Red Hat Linux
system on the UW network running OpenSSH 2.1.1. This vulnerability is
described in CERT Vulnerability note VU#945216:
http://www.kb.cert.org/vuls/id/945216
Once in the system, a series of operating system commands were
replaced with trojan horses to provide back doors for later entry
and to conceal the presence of the intruders in the system. A second
SSH server was run on a high numbered port (39999/tcp). The system
was then used for broad scanning (outbound from the UW network) to
identify more systems running OpenSSH 2.1.1, some of which were
then attacked manually.
Artifacts and logs were recovered from the system and analyzed.
[NOTE: This particular exploit is presumed to be independent of any
root kits or tool kits, so do not expect these same attributes to be
present on all systems attacking with an SSH crc32 exploit.]
The exploit is based on the source code for OpenSSH 2.2.0 (which
is the follow on to version 2.1.1, and patched a vulnerability in the
crc32 compensation attack detection function). It is is actively being
used against systems running OpenSSH 2.1.1 servers which suffer from
this vulnerability, and has been successfully used against SSH.com
version 1.2.31 as well. (Other implementations of SSH protocol 1
and versions have not been tested to date.)
The analyzed exploit lists the following targets:
linux/x86 ssh.com 1.2.26-1.2.31 rhl
linux/x86 openssh 1.2.3 (maybe others)
linux/x86 openssh 2.2.0p1 (maybe others)
freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
While this exploit shows multiple targets, the attackers in this case
were only scanning for 22/tcp, then connecting to those systems that
respond to get the server version and explicitly looking for only
"OpenSSH_2.1.1". These were rapid SYN scans, using a tool that
comes with the t0rn root kit.
Analysis of the compromised system revealed that 47067 addresses had
been scanned (totalling 25386 unique hosts -- it is not clear why
there is such a large overlap.) Of the hosts scanned, 1244 vulnerable
hosts were identified, and the intruders had successfully exploited
and entered 4 hosts before the system was taken off-line on October 8.
Other reports of 22/tcp scanning have come in since October 8, and it
is believed that this exploit is circulating among IRC chat channels.
The exploit does not work against systems that use access control
restrictions (e.g., SSH.com's "AllowHosts" or "DenyHosts" settings)
or packet level filters (e.g., ipchains, iptables, ipf) which would
prevent a host from attempting to exchange public keys. The
vulnerability requires being able to enter cryptographic key exchange
negotiation with the server to properly manipulate the stack.
