¶ÔÓÚSSH crc32 compensation attack detector exploit µÄÇø·Ö

"; offset:8; depth:14; \
 £  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
 £  classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

¼ø±ðÄãµÄÖ÷»úÊÇ·ñ´æÔÚ´Ë©¶´
===========================

Äã¿ÉÒÔʹÓÃJeremy Mates' scan_ssh.pl[8] ºÍ Niels Provos' ScanSSH scanner[9]
дµÄ½Å±¾À´¼ø±ðSSH·þÎñºÍËüÃǵİ汾¡£

Russell Fulton Ò²¹«²¼ÁËÒ»¸ö½Å±¾³ÌÐòArgus[10]ÓÃÀ´´¦ÀíÈÕÖ¾£¬°üº¬ÔÚÏÂÃæµÄ¸½Â¼ÖС£

----------------------------------------------------------------------------

²Î¿¼

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
 £  http://www.all.net/ForensiX/plac.html


[2] Netcat, by der Hobbit
 £  http://www.l0pht.com/~weld/netcat/


[3] Reverse Engineer's Query Tool
 £  http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz


[4] LiSt Open Files (lsof)
 £  http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz


[5] ngrep, by Jordan Ritter
 £  http://www.packetfactory.net/projects/ngrep/


[6] Snort
 £  http://www.snort.org/


[7] 7350.org / 7350
 £  http://www.7350.org/
 £  http://www.team-teso.org/about.php (see the bottom)


[8] Jeremy Mates ÌṩµÄssh_scan.pl
 £  http://sial.org/code/perl/scripts/ssh_scan.pl.html


[9] Niels ProvosÌṩµÄScanSSH ɨÃè³ÌÐò
 £  http://www.monkey.org/~provos/scanssh/


[10] Argus - ÍøÂç´«ÊäÉóºË¹¤¾ß
 £  http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1


[11] tcpdump
 £  http://staff.washington.edu/dittrich/misc/sshdx.dump


[12] tcpreplay
 £  http://packages.debian.org/testing/net/tcpreplay.html



Appendix A
==========


Á½¸öɨÃè½Å±¾ÈçÏÂ

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"
# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is obtained, or if new
# versions of the SSH server are found on your network.


%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'not affected',
'SSH-1.5-1.2.17', 'not affected',
'SSH-1.5-1.2.18', 'not affected',
'SSH-1.5-1.2.19', 'not affected',
'SSH-1.5-1.2.20', 'not affected',
'SSH-1.5-1.2.21', 'not affected',
'SSH-1.5-1.2.22', 'not affected',
'SSH-1.5-1.2.23', 'not affected',
'SSH-1.5-1.2.24', 'affected',
'SSH-1.5-1.2.25', 'affected',
'SSH-1.5-1.2.26', 'affected',
'SSH-1.5-1.2.27', 'affected',
'SSH-1.5-1.2.28', 'affected',
'SSH-1.5-1.2.29', 'affected',
'SSH-1.5-1.2.30', 'affected',
'SSH-1.5-1.2.31', 'affected',
'SSH-1.5-1.2.31a', 'not affected',
'SSH-1.5-1.2.32', 'not affected',
'SSH-1.5-1.3.7', 'not affected',
'SSH-1.5-Cisco-1.25', 'unknown',
'SSH-1.5-OSU_1.5alpha1', 'unknown',
'SSH-1.5-OpenSSH-1.2', 'affected',
'SSH-1.5-OpenSSH-1.2.1', 'affected',
'SSH-1.5-OpenSSH-1.2.2', 'affected',
'SSH-1.5-OpenSSH-1.2.3', 'affected',
'SSH-1.5-OpenSSH_2.5.1', 'not affected',
'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p2', 'not affected',
'SSH-1.5-RemotelyAnywhere', 'not affected',
'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',
'SSH-1.99-OpenSSH-2.1', 'affected',
'SSH-1.99-OpenSSH_2.1.1', 'affected',
'SSH-1.99-OpenSSH_2.2.0', 'affected',
'SSH-1.99-OpenSSH_2.2.0p1', 'affected',
'SSH-1.99-OpenSSH_2.3.0', 'not affected',
'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',
'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',
'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',
'SSH-1.99-OpenSSH_2.9', 'not affected',
'SSH-1.99-OpenSSH_2.9p1', 'not affected',
'SSH-1.99-OpenSSH_2.9p2', 'not affected',
'SSH-1.99-OpenSSH_3.0p1', 'not affected',
'SSH-2.0-1.1.1', 'unknown',
'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',
'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',
'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',
'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',
'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',
'SSH-2.0-OpenSSH_2.9p2', 'not affected',
);


# Make SURE you read the code first.
&IKnowWhatImDoing();


$all++, shift(@ARGV) if $ARGV[0] eq "-a";


while (<>) {
 £ £ £  chop;
 £ £ £  s/\s+/ /g;
 £ £ £  ($ip, $host, $version) = split(' ', $_);


 £ £ £  # Adjust this to identify other strings reported
 £ £ £  # by servers that have access restrictions, etc.
 £ £ £  # in place and do not show a specific version number.
 £ £ £  # They all fall under the category "Unknown" in this case.
 £ £ £  $version = "Unknown"
 £ £ £ £ £ £ £  if ($version eq "Couldn't"

 £ £ £ £ £ £ £ £ £  $version eq "Unknown"

 £ £ £ £ £ £ £ £ £  $version eq "You"

 £ £ £ £ £ £ £ £ £  $version eq "timeout");


 £ £ £  $server = $host;
}


foreach $i (sort keys %server) {
 £ £ £  ($version,$ip) = split(":", $i);
 £ £ £  next if ($affected eq "not affected" && ! $all);
 £ £ £  printf("\n\n%s (%s)\n", $version, $affected)
 £ £ £ £ £ £ £  if ($curver ne $version);
 £ £ £  $curver = $version;
 £ £ £  print " " . $server . "($ip)\n";
}


exit(0);


sub IKnowWhatImDoing {
 £ £ £  local $IKnowWhatImDoing = 0;


 £ £ £  # Uncomment the following line to make this script work.
 £ £ £  # $IKnowWhatImDoing++;
 £ £ £  die "I told you to read the code first, didn't I?\n"
 £ £ £ £ £ £ £  unless $IKnowWhatImDoing;
 £ £ £  return;
}
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

¹Ø¼ü´Ê£º¶ÔÓÚSSH crc32 compensation attack detector exploit µÄÇø·Ö