Prevent Online Threats
« Exploit.Linux.Lacksan
Exploit.WinNT.DebPloi »

Exploit.Linux.SSHD2

Details
Exploit.Linux.SSHD22

Under the SSHD22 name KAV detects a couple of tools widely used on the Internet by hackers to compromise systems vulnerable to the security flaw known as the “SSH CRC-32 compensation attack”.
Initially reported in October 2001, (for details you may check the CERT advisory 2001-35, at: http://www.cert.org/advisories/CA-2001-35.html this form of attack is still one of the most prevalent forms of exploits used on the Internet. Given the high level of compromise from this exploit, it is recommended to update every vulnerable version (for a version list please check the CERT advisory) up to the latest release.
Technical details:
Multiple versions of this tool are known, but most of them share the same base code that performs the attack. An interesting detail, the specific offsets and addresses needed to exploit the various SSH versions are stored in an external file to which additional data can be added. A special tool which can be used to extract the specific exploit offsets is also included in the distribution of the attack kit, making it relatively easy to increase the target base of the exploit.
Some versions of the tool are encrypted with passwords, possibly to prevent misuse. When run they require the user to first enter a password (for instance, the so-called “x2″ variant).
After providing a correct password the tool presents the user with a list of options, of which the most important one is the vulnerable version to try - the exploitation tool is unable to determine for itself the version of the vulnerable SSH daemon running on the remote machine.
After providing the address of the remote machine and the version to exploit, the tool connects to the SSH daemon and initiates a session login attempt. During the attack it’s common for the SSH daemon to crash or stall, including messages of the following Form:
“/var/log/messages”:
sshd[14211]: Disconnecting: Corrupted check bytes on input.
sshd[14230]: Disconnecting: crc32 compensation attack: network attack detected
As a successful attack with this tool is usually followed with the installation of a rootkit or backdoor it’s important to perform a full scan of the system after a compromise has been detected, and if available, to check the integrity of the system binaries which might have been replaced with trojanized versions.

Related Posts

  • Exploit.Linux.Lacksan
  • Linux.Zipwor
  • Worm.Linux.Might
  • Linux.Kagob
  • Linux.Winte

    • This entry was posted on Friday, October 13th, 2006 at 9:00 am and is filed under Virus Threats.

    Leave a Reply

    Spyware Removal Spyware Protection Tools