openssh vulnerability WITH TCP DUMP!

Evert van de Waal evert.vandewaal at imtech.nl
Fri Nov 4 21:54:14 EST 2005 

Hi Guys,

My Debian box has been hacked a few days ago using an OpenSSH 
vulnerability. Subsequently my box was used for sending spam and as a 
hacking platform (according to my ISP).

I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled 
my box (now with 3.8p1 as supplied by Debian Stable), and started 
tcpdump to see if I would get lucky. I DID!

The aut.log file shows the following:
Nov  4 06:25:01 localhost su[5715]: + ??? root:nobody
Nov  4 06:25:01 localhost su[5715]: (pam_unix) session opened for user 
nobody by
 (uid=0)

In the auth.log from my hacked box, I also had these lines. However, I 
could not correlate them to TCP messages, so they didn't help me. Now, I 
do have a full tcp dump ;-)

In the dump file, I found three simple messages that did the job:

First: A SYN request to the ssh port

0000  00 01 80 57 16 3d 00 90  d0 af 86 eb 08 00 45 00   ...W.=.. ......E.
0010  00 30 3c 2d 00 00 74 06  1b fd d2 f0 11 2c 0a 00   .0<-..t. .....,..
0020  00 82 d6 d3 00 16 7e c1  e4 5f 75 72 0c 80 70 02   ......~. ._ur..p.
0030  ff ff d8 83 00 00 02 04  05 b4 01 01 04 02         ........ ...... 

Next the reply from my box (SYN ACK):
0000  00 90 d0 af 86 eb 00 01  80 57 16 3d 08 00 45 00   ........ .W.=..E.
0010  00 30 00 00 40 00 40 06  4c 2a 0a 00 00 82 d2 f0   .0.. at .@. L*......
0020  11 2c 00 16 d6 d3 55 c4  46 41 7e c1 e4 60 70 12   .,....U. FA~..`p.
0030  16 d0 a7 8f 00 00 02 04  05 b4 01 01 04 02         ........ ...... 

An then the killer. A RST message. The weird ACK (2856040895 according 
to ethereal) seems to be the culprit:
0000  00 01 80 57 16 3d 00 90  d0 af 86 eb 08 00 45 00   ...W.=.. ......E.
0010  00 28 a3 31 40 00 34 06  b5 00 d2 f0 11 2c 0a 00   .(.1 at .4. .....,..
0020  00 82 d6 d3 00 16 7e c1  e4 60 00 00 00 00 50 04   ......~. .`....P.
0030  00 00 87 36 00 00 00 00  00 00 00 00               ...6.... ....   

I don't have a clue how this could cause a session for nobody to be 
started, I hope this is useful information for you to nail this thing. 
Or perhaps you have already nailed it, but I didn't find any information 
on this vulnerability in Google. If you need more information, please 
let me know.

Good luck,
Evert

More information about the openssh-unix-dev mailing list