OpenSSH Rumors

Published: 2009-07-07
Last Updated: 2009-07-08 00:08:11 UTC
by Marcus Sachs (Version: 4)
6 comment(s)

Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use.  We cannot confirm its existence, other than a DOS exploit for OpenSSH that is on Milw0rm.  If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form.  Again, no rumors and no links to discussions of rumors please.  We need reports of active exploitation or other evidence that this a real issue.

UPDATE 1:  One reader sent us a URL to a site showing the active exploitation of a vulnerable system that looks like it was recorded last Friday.  So far this is the only "evidence" of an attack.  It is against an older version of OpenSSH so if this is the source of the rumor, then it is NOT a problem with the most updated version.  Without giving away everything (Google is your friend if you want to find the original), here is a snip from the log:

anti-sec:~/pwn# cd xpl/

anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

  [+] 0wn0wn – anti-sec group
  [+] Target: xx.yy.143.133
  [+] SSH Port: 22

  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

sh-3.2# export HISTFILE=/dev/null

sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

sh-3.2# uname -a
Linux xx.yy.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::

sh-3.2# w
 03:43:43 up 7 days, 54 min,  1 user,  load average: 9.01, 9.78,
10.73
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    125.238.144.224  20:17    7:26m 13:18  13:18  htop

sh-3.2# pwd
/root

UPDATE 2:  Just to make things interesting, here is an anonymous email we received today.  The author gave us permission to share the comments but not his/her name.

Expect the SSH exploit to be made public before BH/DC. I have proof that I can't share (sorry), that this exploit does exist, does not work against current versions of SSH, and is actively being used by members of the anti-sec movement.

However, you have no reason to believe anything I am telling you here, as its nothing that could not have been made public by the single blog posting that (amazingly) became public yesterday. As well, I am not giving you my contact information, etc. So, its no more then a rumor I am giving you, sorry for that.

It would be really great however if you suggested everyone to upgrade OpenSSH to the newest version, on the off chance the rumor is true thought, right? No harm if you are getting bad information in that case.

Once it becomes public (sorry, I am being fed information by someone that wants me to keep it private, and in trust I can't share), I will have some logs I can forward on to you.

Of course, that "proof" may be the log file that we snipped above.  Regardless, keep your OpenSSH updated, control the access, and by all means turn it off if you don't need it (don't uninstall the updated binaries, just turn off the service - that way if it's needed you won't accidentally have an out of date version running.)

UPDATE 3:  We've received a few emails that lend credibility to the rumor, and we've received a few more that paint an interesting picture - that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin's mistake.  What we are lacking is the actual exploit code.  So if this is "for real" would somebody slip us a copy and leave it under the door mat?  (Actually, our contact form is the best place.)  We won't tell anybody where it came from but it sure would put a lid on this story. 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: OpenSSH
6 comment(s)

Comments

Hy all,

I have received, since sunday morning, at least 35 alerts comming from one of my Debian server hosting Debian 5.0, related to ssh access attempts ... It would be nice to give more update on such attacks ... How could be try to capture the worm/exploit ?

Best regards,
Jean
Actually, 4.3 *is* the latest RHEL/CentOS SSH version. openssh-server-4.3p2-29.el5 has been backported by RH engineers to supposedly patch all of the bugs that have since been disclosed up until the latest OpenSSH versions released by the OpenBSD project people. For enterprise stability purposes (which is why Gov and large businesses buy Red Hat) the versions and features are kept approximately the same as the original RHEL distribution release, but bugs are cleaned up. So if this vulnerability is valid, then possibilities include:
1. All OpenSSH versions are vulnerable
2. Unknown vulnerability was unwittingly patched as part of a version feature upgrade with newer-than-4.3 OpenSSH versions
3. Red Hat engineers failed to properly fix bugs with their backporting efforts.

- n3kt0n
Is this rumor worth shutting down SSH access to customers? At what point can anyone able to create semi-plausible log snippets create a DOS.

>:(
Presuming there is a threat to openssh-server-4.3p2-29.el5 does anyone know which dependencies would need to met to update to 5.2p1?
perhaps this exploit is only valid for poorly configured sshd configurations. hardening ssh and using something like fail2ban would certainly be advisable.
Such stories when spread make people/admin's panic even if there isn't any proof to such an issue.

To calm down I encourage people/admin's to use a port-knocking system specially on their SSH service, at least for the meantime.

Diary Archives