8761870 2002-07-22 16:43 -0700 /78 rader/ <auto458545@hushmail.com> Sänt av: joel@lysator.liu.se Importerad: 2002-07-23 02:52 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23176> Ärende: SSH Protocol Trick ------------------------------------------------------------ From: auto458545@hushmail.com To: bugtraq@securityfocus.com Message-ID: <200207222343.g6MNhfY13217@mailserver4.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SSH Protocol Weakness Advisory Monday, July 22 2002 - - rtm OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59) and I discovered that an old little technique of SSH man in the middle attacks I had been working on was now part of a Phrack article.... Luckily, source code hadn't been disclosed yet, and neither will mine. I just wanted to get this issue out in the open so people could secure themselves while they can. Remember, that the ssh daemon So far, all vendors are vulnerable to this little trick, including commercial based SSH and OpenSSH. http://www.ssh.com http://www.openssh.com You can find more details about the attack at http://www.sekurityfocus.com/phrack59/ (Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org) Basically, ssh daemons advertise one of two major versions, depending on what is supported by the software /configuration files, for SSH protocol version 1, or 2. Compatibility mode is enabled with a version of 1.99. It is servers which advertise this compatibility mode of 1.99 which are vulnerable to the attack. Servers in compatability mode have both protocols 1 and 2 enabled. If the client has a key enabled for say, only SSH protocol 1 or 2, the malicious interloper, "Mallory," using ssh mitm arp techniques which are available in say, ettercap or dsniff, can advertise the opposite protocol in the fake sshd version string used in the banner handshake. If a client has only used say, SSH 1 authentication in the past, it will not contain a SSH2 key, so no "Host Identification has changed" message will be present when the fake server advertises its public host key. The targeted victim will only see a "KEY NOT PRESENT" prompt and will be asked if they want to add the key. Obviously, this removes some of the fear paranoid users would feel when facing a real mitm attack. Remember, this is not a direct vulnerability in the SSH 1 or 2 protocols, but rather a slight trick that can be abused. POTENTIAL SOLUTIONS - ------------------- Client-Based: Check known_hosts and known_hosts2 in your ~/.ssh directory, and check to see which keys you use for each host. If you only use ssh1, force the ssh protocol to protocol 1, by specifying the -1 option. Or if you use ssh2, force the ssh protocol 2 with the -2 option. If you receive a hostkey change identification, you know something must be up! Server-Based: Disable sshd? <- Isn't this always the best security approach, especially now? :) Really, there isn't anything to do except mail users and tell them which protocol to force, and to ensure that strict host key checking is always on! I guess we'll have to wait for the vendors to release an inventive patch for this one... Now, what I want to know is why somebody who works at SuSE has not been publishing these details openly!?! Thanks A concerned citizen, - -Robert -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAj08mS4YHGF1dG80NTg1NDVAaHVzaG1haWwuY29tAAoJEN2oSjCxkGUr oE0An2t8pcJmQVvRk01QT73RG/BNQ0hCAKC8EhTnPVBsTo8riBacqTuFpvAFKw== =TO7q -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople (8761870) /<auto458545@hushmail.com>/-----(Ombruten) Kommentar i text 8761891 av H D Moore <sflist@digitaloffense.net> Kommentar i text 8764587 av Richard Miller <rm@segfault.net> Kommentar i text 8764653 av stealth <stealth@segfault.net> Kommentar i text 8766333 av Mikael Olsson <mikael.olsson@clavister.com> 8761891 2002-07-22 19:45 -0500 /37 rader/ H D Moore <sflist@digitaloffense.net> Sänt av: joel@lysator.liu.se Importerad: 2002-07-23 03:07 av Brevbäraren Extern mottagare: auto458545@hushmail.com Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23177> Kommentar till text 8761870 av <auto458545@hushmail.com> Ärende: Re: SSH Protocol Trick ------------------------------------------------------------ From: H D Moore <sflist@digitaloffense.net> To: auto458545@hushmail.com, bugtraq@securityfocus.com Message-ID: <200207221945.43902.sflist@digitaloffense.net> Ettercap has had this ability for months: $ cat etter.filter.ssh ############################################################################ # # # ettercap -- etter.filter -- filter chain file # # # [ snip ] ## # # This filter will substitute the SSH server response from SSH-1.99 to # SSH-1.51, so if the server supports both ssh1 and ssh2 we will force # it to use ssh1... ;) # server response : SSH-1.99 both ssh1 and ssh2 supported # SSH-1.51 only ssh1 supported ## [ snip ] http://ettercap.sf.net/ On Monday 22 July 2002 18:43, auto458545@hushmail.com wrote: > SSH Protocol Weakness Advisory > Monday, July 22 2002 > - rtm > > OK, here it is guys... I saw this today when I was looking at the newest > issue of phrack (59) and I discovered that an old little technique of SSH > man in the middle attacks I had been working on was now part of a Phrack > article.... (8761891) /H D Moore <sflist@digitaloffense.net>/--- 8764587 2002-07-23 14:16 +0000 /15 rader/ Richard Miller <rm@segfault.net> Sänt av: sectools-return-700-9599=lyskom.lysator.liu.se@securityfocus.com Importerad: 2002-07-23 16:35 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: vuln-dev@securityfocus.com Extern kopiemottagare: sectools@securityfocus.com Extern kopiemottagare: secprog@securityfocus.com Mottagare: SECTOOLS (import) <718> Kommentar till text 8761870 av <auto458545@hushmail.com> Ärende: Re: SSH Protocol Trick ------------------------------------------------------------ > OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59) err, you became the victim of a bluff. The issue you read has been spread by kids and contains a trojaned extract utility with heavily modified articles. Do not execute the extract utility of the fake or it will rm -rf your harddrive. The offical PHRACK 59 has just been released and can be found at: http://www.phrack.org/gogetit -rm (8764587) /Richard Miller <rm@segfault.net>/-------- 8764653 2002-07-23 12:47 +0000 /71 rader/ stealth <stealth@segfault.net> Sänt av: joel@lysator.liu.se Importerad: 2002-07-23 16:44 av Brevbäraren Extern mottagare: auto458545@hushmail.com Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23189> Kommentar till text 8761870 av <auto458545@hushmail.com> Ärende: Re: SSH Protocol Trick ------------------------------------------------------------ From: stealth <stealth@segfault.net> To: auto458545@hushmail.com Cc: bugtraq@securityfocus.com Message-ID: <20020723124739.GA23460@segfault.net> On Mon, Jul 22, 2002 at 04:43:41PM -0700, auto458545@hushmail.com wrote: Hi, <note-to-moderator> I'd appreciate if you can approve this ;-) </..> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > SSH Protocol Weakness Advisory > Monday, July 22 2002 > - - rtm > > OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59) > and I discovered that an old little technique of SSH man in the middle attacks I had been working > on was now part of a Phrack article.... Obviously half of the world already knew all of the tricks. If so why didnt *YOU* tell it the world?? > Luckily, source code hadn't been disclosed yet, and neither will mine. I just wanted to get this > issue out in the open so people could secure themselves while they can. > Remember, that the ssh daemon > > So far, all vendors are vulnerable to this little trick, including commercial based SSH and OpenSSH. > http://www.ssh.com > http://www.openssh.com > > You can find more details about the attack at http://www.sekurityfocus.com/phrack59/ > (Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org) > > Basically, ssh daemons advertise one of two major versions, depending on what is supported by the > software /configuration files, for SSH protocol version 1, or 2. Compatibility mode is enabled with a > version of 1.99. It is servers which advertise this compatibility mode of 1.99 which are vulnerable to > the attack. Servers in compatability mode have both protocols 1 and 2 enabled. > If the client has a key enabled for say, only SSH protocol 1 or 2, the malicious interloper, "Mallory," > using ssh mitm arp techniques which are available in say, ettercap or dsniff, can advertise the opposite > protocol in the fake sshd version string used in the banner handshake. > If a client has only used say, SSH 1 authentication in the past, it will not contain a SSH2 key, so > no "Host Identification has changed" message will be present when the fake server advertises its public > host key. The targeted victim will only see a "KEY NOT PRESENT" prompt and will be asked if they want > to add the key. > Obviously, this removes some of the fear paranoid users would feel when facing a real mitm attack. > Remember, this is not a direct vulnerability in the SSH 1 or 2 protocols, but rather a slight trick that > can be abused. > Good you explain it again. Doppelt haelt besser. :) I am already in contact with SSH vendors. Might be that fixes are not necessary because its not a bug someone can exploit without help of the user. The phrack article which is also available as .pdf paper is part of research I do at university and was not ment for public before phrack59 is released. It is part of deeper research regarding weaknesses in SSH (yes, there are more!) and nobody wants inaccurate or incomplete papers, or do you like them Robert? Additionally because leaks are expected especially in such topics like SSH proto analyzation the "exploit" tool has not yet been released so kids have no chance to do any harm. thanks, S. (8764653) /stealth <stealth@segfault.net>/(Ombruten) 8766333 2002-07-23 22:46 +0200 /35 rader/ Mikael Olsson <mikael.olsson@clavister.com> Sänt av: joel@lysator.liu.se Importerad: 2002-07-23 23:41 av Brevbäraren Extern mottagare: auto458545@hushmail.com Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23194> Kommentar till text 8761870 av <auto458545@hushmail.com> Ärende: Re: SSH Protocol Trick ------------------------------------------------------------ From: Mikael Olsson <mikael.olsson@clavister.com> To: auto458545@hushmail.com Cc: bugtraq@securityfocus.com Message-ID: <3D3DC0B8.8D8366C@clavister.com> auto458545@hushmail.com wrote: > > It is servers which advertise this compatibility mode of 1.99 which are > vulnerable to the attack. Servers in compatability mode have both > protocols 1 and 2 enabled. Just pointing out a small mistake here: running servers in compatibility mode is NOT what causes the problem, and the reverse is also true: running a server in forced v1 or v2 mode doesn't help. If you want a "workaround", it'd be forcing all your SSH clients to use a specific SSH version, but that's seldom a viable alternative. Then again, the best solution is probably educating all your users to always verify host fingerprints (hahahaha) or forcing public key auth instead of password auth (usually more viable) in your servers. People are more likely to notice "public key auth failed" rather than the old "new host key" message. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "It's July. I'm on vacation. Can't you tell? :)" (8766333) /Mikael Olsson <mikael.olsson@clavister.com>/(Ombruten) 8774666 2002-07-24 23:44 +0200 /38 rader/ Markus Friedl <markus@openbsd.org> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 23:39 av Brevbäraren Extern mottagare: auto458545@hushmail.com Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23259> Kommentar till text 8761870 av <auto458545@hushmail.com> Ärende: Re: SSH Protocol Trick ------------------------------------------------------------ From: Markus Friedl <markus@openbsd.org> To: auto458545@hushmail.com Cc: bugtraq@securityfocus.com Message-ID: <20020724214414.GA30290@folly> > SSH Protocol Weakness Advisory Monday, July 22 2002 - rtm It's not really a protocol weakness, it's an annoyance caused by the fact that there are multiple type of hostkeys, see the discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4 Ssharp uses clever tricks to attack users by exploiting this annoyance. However, a MITM attack is always possible if the ssh client prints: The authenticity of host 'jajajaja' can't be established. The client in the next OpenSSH release will print out all known keys for a host if a server (or MITM) sends an unknown host key of a different type. E.g. if you connect to a host with protocol v2 for the first time, then the client warns you if you already have a key for protocol v1, and so on. That said, I'd like to repeat: A MITM attack is always possible if the ssh client prints: The authenticity of host 'jajajaja' can't be established. So better verify the key fingerprints. Moreover, protocol version 2 with public key authentication allows you to detect MITM attacks. (8774666) /Markus Friedl <markus@openbsd.org>/------