[Snort-sigs] False Positives for SID 1838

Steve Kirk skirk at ...2382...
Wed Apr 7 11:57:06 EDT 2004

Below is an update for SID 1838 - SSH1 Server Banner overflow with 
VanDyke SecureCRT SSH clients.

In summary, I have seen other SSH clients connect to valid OpenSSH 
daemons, and those connections are triggering this rule.  The requested 
template is below - I've cut/pasted the SID's existing data and added to 
the False Positives section with my findings. 

If you need add'l info please let me know.


Steven Kirk - Director of IT
Insomniac Games, Inc.
skirk at ...2382...
tel +1 818 729 2495

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; classtype:misc-attack; sid:1838; rev:6;)


Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
sessions. This event is generated when an attempt is made to exploit
vulnerable versions of the SecureCRT SSH client.

System compromize presenting the attacker with either the opportunity to
execute arbitrary code or crash the client.

Detailed Information:
Van Dyke Technologies SecureCRT is a client program that allows users to
connect to servers running the Secure Shell (SSH) daemon for remote
access via an encrypted TCP session.

A flaw in the SecureCRT client may result in arbitrary code execution
with the privileges of the user running the client.

A buffer overflow can be caused by a server sending an overly long
identifier string when using the SSH-1 protocol.

Affected Systems:
Van Dyke Technologies SecureCRT prior to version 4.0 beta 1

Not affected:
    Van Dyke Technologies SecureCRT versions 3.2.2, 3.3.4, 3.4.6 and 4.0 beta 3.

Attack Scenarios:
The attacker would need to send overly large SSH version 1 identifier
string to cause the overflow.

Exploit scripts are available

Ease of Attack:
Simple. Exploits are available.

False Positives:
False Positives have been recorded by use of PuTTY SSH clients or SSH.COM's SSH clients connecting to various OpenSSH servers.

Banner payloads include:
SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7buf_fix. (PuTTY -> Solaris 8)
SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924. (PuTTY -> FreeBSD 4.9)
SSH-1.99-OpenSSH_3.5p1. (SSH.com Client -> unknown OS)

False Negatives:
None known

Corrective Action:
Upgrade to the latest non-affected version of the software.

Sourcefire Research Team
Brian Caswell <brian.caswell at ...435...>
Nigel Houghton <nigel.houghton at ...435...>

Additional References:
bugtraq: 5287

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040407/b507c4cc/attachment.html>

More information about the Snort-sigs mailing list