[Snort-sigs] Documentation (#1325)

nicholas black dank at ...1582...
Mon Jun 9 12:19:13 EDT 2003


---------------------------------
Rule:  
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow filler"; flow:to_server,established; content:"|00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325;
rev:3;)
--
Sid:
1325
--
Summary:
An attempt may have been made to exploit the SSH attack detection code.
--
Impact:
Vulnerable SSH servers will allow code to be run with the daemon's access.
--
Detailed Information:
A protocol weakness in SSH1 opened all compliant servers to an
information integrity vulnerability allowing block cipher-encrypted
packets to be modified silently by an intermediary attacker.  Patches
were developed to defend against this weakness, but several servers
contained an exploitable integer overflow within detection code.

A successful attack will allow corruption of the ssh daemon, allowing
code to be run with its privileges.
--
Affected Systems:
OpenSSH prior to 2.3.0 (2000-11)
Non-commercial SSH.com Secure Shell 1.2.24 through 1.2.31
--
Attack Scenarios:
Once a session is initiated with the remote SSH server and block
ciphering is agreed upon, successfully forcing a CRC32 check opens up
room for the exploit (which is publically available).  The integer
overflow is generally a brute-force method, which may generate several
log lines of the form:

hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network
attack detected
--
Ease of Attack:
The exploit is public, but most servers are now likely updated.
--
False Positives:
Possible (especially in the face of null encryption), but unlikely.
Look for several log lines of the type described above.
--
False Negatives:
This signature works by looking for "filler space" in the exploit, used
to properly size a heap overflow.  Clever exploits can quite easily
change the information placed here.
--
Corrective Action:
SSH1 is a fatally flawed protocol, long deprecated in favor of SSH2.
Unless interoperability demands it, SSH1 should not be used.  Upgrade
versions of SSH to the newest release.
--
Contributors:
Original signature author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
-- 
Additional References:
CERT Advisory:  http://www.cert.org/advisories/CA-2001-35.html
---------------------------------

-- 
nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo




More information about the Snort-sigs mailing list