[Snort-sigs] Documentation (#1325)

nicholas black dank at ...1582...
Mon Jun 9 12:19:13 EDT 2003

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow filler"; flow:to_server,established; content:"|00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325;
An attempt may have been made to exploit the SSH attack detection code.
Vulnerable SSH servers will allow code to be run with the daemon's access.
Detailed Information:
A protocol weakness in SSH1 opened all compliant servers to an
information integrity vulnerability allowing block cipher-encrypted
packets to be modified silently by an intermediary attacker.  Patches
were developed to defend against this weakness, but several servers
contained an exploitable integer overflow within detection code.

A successful attack will allow corruption of the ssh daemon, allowing
code to be run with its privileges.
Affected Systems:
OpenSSH prior to 2.3.0 (2000-11)
Non-commercial SSH.com Secure Shell 1.2.24 through 1.2.31
Attack Scenarios:
Once a session is initiated with the remote SSH server and block
ciphering is agreed upon, successfully forcing a CRC32 check opens up
room for the exploit (which is publically available).  The integer
overflow is generally a brute-force method, which may generate several
log lines of the form:

hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network
attack detected
Ease of Attack:
The exploit is public, but most servers are now likely updated.
False Positives:
Possible (especially in the face of null encryption), but unlikely.
Look for several log lines of the type described above.
False Negatives:
This signature works by looking for "filler space" in the exploit, used
to properly size a heap overflow.  Clever exploits can quite easily
change the information placed here.
Corrective Action:
SSH1 is a fatally flawed protocol, long deprecated in favor of SSH2.
Unless interoperability demands it, SSH1 should not be used.  Upgrade
versions of SSH to the newest release.
Original signature author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
Additional References:
CERT Advisory:  http://www.cert.org/advisories/CA-2001-35.html

nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo

More information about the Snort-sigs mailing list