SSH2, How I love Thee

A while ago, I read an article regarding SSH2 and an insecurity that it possessed. Being a person who depends on SSH2, I was highly intrigued about this insecurity.

The insecurity involves with the handling of credentials in memory when a client is connecting to an openssh server. When the client is authenticating to the server, on the server side, the password in memory is in clear text. So, this attack is merely a local one. For one to worry about this attack, they would have to have their openssh server compromised and the would attacker run the shell script that I wrote.

I’m not taking credit for the discovery of this flaw. I merely wrote a program to automate the capture of the ssh client’s credentials. Once I find the discoverer of the flaw, I will post it. Keep in mind that this program isn’t perfect, but it does work.

Here’s the program in plain text:
http://zitstif.no-ip.org/capturessh2.txt

Here’s the program in a tar file:
http://zitstif.no-ip.org/capturessh2.tar

MD5sum: f9ebfe85ff73641f06625a8c21261d4f

#Tested to work on SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
#Tested to work on SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
#Tested to work on OpenSSH 5.2 (protocol 2.0) Fedora 11

If you want to test this on your ssh server, first log into your ssh server and then execute the script with sudo.

Then posing as the victim yourself, login to the same ssh server and do your usual business and then log out.

In the attacker’s console, you will see the victim’s user name and password that the used to authenticate in the ssh server.

Also a quick side note, I’m reminded of a pretty nasty attack on ssh clients that can be performed with Ettercap. It’s known as a downgrade attack. Essentially, instead of the client authenticating through the Protocol 2.0 version of SSH, the attacker modifies the traffic in transmit and downgrades it to Protocol 1.0, which is susceptible to password sniffing via Ettercap.

Here’s a link to a tutorial on how to perform this attack:
http://openmaniak.com/ettercap_filter.php

This attack only affects servers that allow ssh 1.0 authentication, ergo it’s not a very high level of threat.

Leave a Reply

Your email address will not be published. Required fields are marked *