8761870 2002-07-22 16:43 -0700  /78 rader/ <auto458545@hushmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-23  02:52  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23176>
Ärende: SSH Protocol Trick
------------------------------------------------------------
From: auto458545@hushmail.com
To: bugtraq@securityfocus.com
Message-ID: <200207222343.g6MNhfY13217@mailserver4.hushmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SSH Protocol Weakness Advisory
Monday, July 22 2002
- - rtm

OK, here it is guys... I saw this today when I was looking at the
newest issue of phrack (59) and I discovered that an old little
technique of SSH man in the middle attacks I had been working on was
now part of a Phrack article....  Luckily, source code hadn't been
disclosed yet, and neither will mine. I just wanted to get this issue
out in the open so people could secure themselves while they can.
Remember, that the ssh daemon

So far, all vendors are vulnerable to this little trick, including
commercial based SSH and OpenSSH.  http://www.ssh.com
http://www.openssh.com

You can find more details about the attack at http://www.sekurityfocus.com/phrack59/
(Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org)

Basically, ssh daemons advertise one of two major versions, depending
on what is supported by the software /configuration files, for SSH
protocol version 1, or 2. Compatibility mode is enabled with a
version of 1.99. It is servers which advertise this compatibility
mode of 1.99 which are vulnerable to the attack. Servers in
compatability mode have both protocols 1 and 2 enabled.  If the
client has a key enabled for say, only SSH protocol 1 or 2, the
malicious interloper, "Mallory," using ssh mitm arp techniques which
are available in say, ettercap or dsniff, can advertise the opposite
protocol in the fake sshd version string used in the banner
handshake.  If a client has only used say, SSH 1 authentication in
the past, it will not contain a SSH2 key, so no "Host Identification
has changed" message will be present when the fake server advertises
its public host key. The targeted victim will only see a "KEY NOT
PRESENT" prompt and will be asked if they want to add the key.
Obviously, this removes some of the fear paranoid users would feel
when facing a real mitm attack.  Remember, this is not a direct
vulnerability in the SSH 1 or 2 protocols, but rather a slight trick
that can be abused.


POTENTIAL SOLUTIONS
- -------------------
Client-Based:
Check known_hosts and known_hosts2 in your ~/.ssh directory, and check to see which keys you use for each host.
If you only use ssh1, force the ssh protocol to protocol 1, by specifying the -1 option.
Or if you use ssh2, force the ssh protocol 2 with the -2 option.
If you receive a hostkey change identification, you know something must be up!

Server-Based: Disable sshd? <- Isn't this always the best security
approach, especially now? :) Really, there isn't anything to do
except mail users and tell them which protocol to force, and to
ensure that strict host key checking is always on!

I guess we'll have to wait for the vendors to release an inventive
patch for this one...  Now, what I want to know is why somebody who
works at SuSE has not been publishing these details openly!?!


Thanks
A concerned citizen,
- -Robert
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAj08mS4YHGF1dG80NTg1NDVAaHVzaG1haWwuY29tAAoJEN2oSjCxkGUr
oE0An2t8pcJmQVvRk01QT73RG/BNQ0hCAKC8EhTnPVBsTo8riBacqTuFpvAFKw==
=TO7q
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
(8761870) /<auto458545@hushmail.com>/-----(Ombruten)
Kommentar i text 8761891 av H D Moore <sflist@digitaloffense.net>
Kommentar i text 8764587 av Richard Miller <rm@segfault.net>
Kommentar i text 8764653 av stealth <stealth@segfault.net>
Kommentar i text 8766333 av Mikael Olsson <mikael.olsson@clavister.com>
8761891 2002-07-22 19:45 -0500  /37 rader/ H D Moore <sflist@digitaloffense.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-23  03:07  av Brevbäraren
Extern mottagare: auto458545@hushmail.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23177>
Kommentar till text 8761870 av <auto458545@hushmail.com>
Ärende: Re: SSH Protocol Trick
------------------------------------------------------------
From: H D Moore <sflist@digitaloffense.net>
To: auto458545@hushmail.com, bugtraq@securityfocus.com
Message-ID: <200207221945.43902.sflist@digitaloffense.net>

Ettercap has had this ability for months:

$ cat etter.filter.ssh
############################################################################
#                                                                          #
#  ettercap -- etter.filter -- filter chain file                           #
#                                                                          #
[ snip ]

##
#
#   This filter will substitute the SSH server response from SSH-1.99 to
#   SSH-1.51, so if the server supports both ssh1 and ssh2 we will force
#   it to use ssh1... ;)
#   server response :    SSH-1.99    both ssh1 and ssh2 supported
#                        SSH-1.51    only ssh1 supported
##
[ snip ]


http://ettercap.sf.net/

On Monday 22 July 2002 18:43, auto458545@hushmail.com wrote:
> SSH Protocol Weakness Advisory
> Monday, July 22 2002
> - rtm
>
> OK, here it is guys... I saw this today when I was looking at the newest
> issue of phrack (59) and I discovered that an old little technique of SSH
> man in the middle attacks I had been working on was now part of a Phrack
> article....
(8761891) /H D Moore <sflist@digitaloffense.net>/---
8764587 2002-07-23 14:16 +0000  /15 rader/ Richard Miller <rm@segfault.net>
Sänt av: sectools-return-700-9599=lyskom.lysator.liu.se@securityfocus.com
Importerad: 2002-07-23  16:35  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: sectools@securityfocus.com
Extern kopiemottagare: secprog@securityfocus.com
Mottagare: SECTOOLS (import) <718>
Kommentar till text 8761870 av <auto458545@hushmail.com>
Ärende: Re: SSH Protocol Trick
------------------------------------------------------------
> OK, here it is guys... I saw this today when I was looking at the newest issue
 of phrack (59)

err, you became the victim of a bluff.
The issue you read has been spread by kids and contains a trojaned
extract utility with heavily modified articles.
Do not execute the extract utility of the fake or it will rm -rf your
harddrive.

The offical PHRACK 59 has just been released and can be found at:
http://www.phrack.org/gogetit

-rm
(8764587) /Richard Miller <rm@segfault.net>/--------
8764653 2002-07-23 12:47 +0000  /71 rader/ stealth <stealth@segfault.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-23  16:44  av Brevbäraren
Extern mottagare: auto458545@hushmail.com
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23189>
Kommentar till text 8761870 av <auto458545@hushmail.com>
Ärende: Re: SSH Protocol Trick
------------------------------------------------------------
From: stealth <stealth@segfault.net>
To: auto458545@hushmail.com
Cc: bugtraq@securityfocus.com
Message-ID: <20020723124739.GA23460@segfault.net>

On Mon, Jul 22, 2002 at 04:43:41PM -0700, auto458545@hushmail.com
wrote:

Hi,

<note-to-moderator>
I'd appreciate if you can approve this ;-)
</..>

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> SSH Protocol Weakness Advisory
> Monday, July 22 2002
> - - rtm
> 
> OK, here it is guys... I saw this today when I was looking at the newest issue of phrack (59)
> and I discovered that an old little technique of SSH man in the middle attacks I had been working
> on was now part of a Phrack article....
Obviously half of the world already knew all of the tricks.
If so why didnt *YOU* tell it the world??

> Luckily, source code hadn't been disclosed yet, and neither will mine. I just wanted to get this
> issue out in the open so people could secure themselves while they can.
> Remember, that the ssh daemon
> 
> So far, all vendors are vulnerable to this little trick, including commercial based SSH and OpenSSH.
> http://www.ssh.com
> http://www.openssh.com
> 
> You can find more details about the attack at http://www.sekurityfocus.com/phrack59/
> (Note: this is a leaked copy of phrack magazine which is not endorsed by phrack.org)
> 
> Basically, ssh daemons advertise one of two major versions, depending on what is supported by the
> software /configuration files, for SSH protocol version 1, or 2. Compatibility mode is enabled with a
> version of 1.99. It is servers which advertise this compatibility mode of 1.99 which are vulnerable to
> the attack. Servers in compatability mode have both protocols 1 and 2 enabled.
> If the client has a key enabled for say, only SSH protocol 1 or 2, the malicious interloper, "Mallory,"
> using ssh mitm arp techniques which are available in say, ettercap or dsniff, can advertise the opposite
> protocol in the fake sshd version string used in the banner handshake.
> If a client has only used say, SSH 1 authentication in the past, it will not contain a SSH2 key, so
> no "Host Identification has changed" message will be present when the fake server advertises its public
> host key. The targeted victim will only see a "KEY NOT PRESENT" prompt and will be asked if they want
> to add the key.
> Obviously, this removes some of the fear paranoid users would feel when facing a real mitm attack.
> Remember, this is not a direct vulnerability in the SSH 1 or 2 protocols, but rather a slight trick that
> can be abused.
>
Good you explain it again. Doppelt haelt besser. :) 

I am already in contact with SSH vendors. Might be that fixes are not
necessary because its not a bug someone can exploit without help of
the user.

The phrack article which is also available as .pdf paper is part of
research I do at university and was not ment for public before
phrack59 is released. It is part of deeper research regarding
weaknesses in SSH (yes, there are more!) and nobody wants inaccurate
or incomplete papers, or do you like them Robert?

Additionally because leaks are expected especially in such topics
like SSH proto analyzation the "exploit" tool has not yet been
released so kids have no chance to do any harm.

thanks,
S.
(8764653) /stealth <stealth@segfault.net>/(Ombruten)
8766333 2002-07-23 22:46 +0200  /35 rader/ Mikael Olsson <mikael.olsson@clavister.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-23  23:41  av Brevbäraren
Extern mottagare: auto458545@hushmail.com
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23194>
Kommentar till text 8761870 av <auto458545@hushmail.com>
Ärende: Re: SSH Protocol Trick
------------------------------------------------------------
From: Mikael Olsson <mikael.olsson@clavister.com>
To: auto458545@hushmail.com
Cc: bugtraq@securityfocus.com
Message-ID: <3D3DC0B8.8D8366C@clavister.com>



auto458545@hushmail.com wrote:
> 
> It is servers which advertise this compatibility mode of 1.99 which are 
> vulnerable to the attack. Servers in compatability mode have both 
> protocols 1 and 2 enabled.

Just pointing out a small mistake here: running servers in
compatibility mode is NOT what causes the problem, and the reverse is
also true: running a server in forced v1 or v2 mode doesn't help.

If you want a "workaround", it'd be forcing all your SSH clients to
use a specific SSH version, but that's seldom a viable alternative.

Then again, the best solution is probably educating all your users to
always verify host fingerprints (hahahaha) or forcing public key auth
instead of password auth (usually more viable) in your servers. People
are more likely to notice "public key auth failed" rather than the old
"new host key" message.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"It's July. I'm on vacation. Can't you tell? :)"
(8766333) /Mikael Olsson <mikael.olsson@clavister.com>/(Ombruten)

8774666 2002-07-24 23:44 +0200  /38 rader/ Markus Friedl <markus@openbsd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-25  23:39  av Brevbäraren
Extern mottagare: auto458545@hushmail.com
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23259>
Kommentar till text 8761870 av <auto458545@hushmail.com>
Ärende: Re: SSH Protocol Trick
------------------------------------------------------------
From: Markus Friedl <markus@openbsd.org>
To: auto458545@hushmail.com
Cc: bugtraq@securityfocus.com
Message-ID: <20020724214414.GA30290@folly>

> SSH Protocol Weakness Advisory Monday, July 22 2002 - rtm

It's not really a protocol weakness, it's an annoyance caused by
the fact that there are multiple type of hostkeys, see the
discussion at
        http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4

Ssharp uses clever tricks to attack users by exploiting this
annoyance.  However, a MITM attack is always possible if the ssh
client prints:

	The authenticity of host 'jajajaja' can't be established.

The client in the next OpenSSH release will print out all known
keys for a host if a server (or MITM) sends an unknown host key
of a different type.

E.g. if you connect to a host with protocol v2 for the first
time, then the client warns you if you already have a key
for protocol v1, and so on.

That said, I'd like to repeat:

A MITM attack is always possible if the ssh client prints:

	The authenticity of host 'jajajaja' can't be established.

So better verify the key fingerprints.

Moreover, protocol version 2 with public key authentication allows
you to detect MITM attacks.
(8774666) /Markus Friedl <markus@openbsd.org>/------