Re: Probable SSH Vulnerability

To: David B Harris <david@eelf.ddts.net>
Cc: debian-security@lists.debian.org
Subject: Re: Probable SSH Vulnerability
From: Tim Peeler <thp@linux00.LinuxForce.net>
Date: Fri, 13 Jun 2003 17:52:21 -0400
Message-id: <[🔎] 20030613215221.GA7327@linux00.LinuxForce.net>
In-reply-to: <20030613171528.2df6d06c.david@eelf.ddts.net>
References: <[🔎] 20030613181844.GA23860@linux00.LinuxForce.net> <20030613171528.2df6d06c.david@eelf.ddts.net>

On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
> (This version of the message sent to you personally in the off chance
> that you're not subscribed to debian-security@lists.debian.org; sorry
> for not doing it via Cc:, but I forgot.)
> 
> On Fri, 13 Jun 2003 14:18:44 -0400
> Tim Peeler <thp@linux00.LinuxForce.net> wrote:
> > In the last 4-5 days we have had 8 servers come under attack.  We are
> > working frantically to keep ahead of these attacks.  We have come to the
> > conclusion that the SSH in woody is likely vulnerable.  Of the 8 servers
> > that have been broken into, half of them are running 2.2.20 and half
> > are running 2.4.18.  We have been updating all servers to 2.4.21-rc8.
> > We are ruling out a kernel exploit because of this.  Of the servers
> > attacked, one was only running sshd (from woody).  We have not had time
> > to analyze where the exploit occurs in sshd, but we are very confident
> > that this is the location of the exploit.  We have begun upgrading to
> > a backport of the testing version of ssh which appears to be helping.
> 
> Could you provide your /etc/ssh/sshd_config, the version of your "ssh"
> package, and the output from 'debsums ssh'? Thanks.
> 

sshd_config for comprimized server attached, as well as the output of
debsums ssh

SSH Version: 3.4p1-1

Just for information, these failed the global check:
bin/cp FAILED
bin/dd FAILED
bin/df FAILED
bin/dir FAILED
bin/ln FAILED
bin/ls FAILED
bin/mv FAILED
bin/rm FAILED
bin/su FAILED
bin/ping FAILED
bin/ps FAILED
bin/kill FAILED
bin/date FAILED
bin/echo FAILED
bin/pwd FAILED
bin/tar FAILED
bin/tcsh FAILED
bin/cat FAILED

# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2,1
# HostKeys for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user
PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/lib/sftp-server

#UsePrivilegeSeparation yes

AllowUsers root cjf linforce afradm afrjradm ave dave

usr/bin/ssh                                                                   OK
usr/bin/scp                                                                   OK
usr/bin/ssh-add                                                               OK
usr/bin/ssh-agent                                                             OK
usr/bin/ssh-keygen                                                            OK
usr/bin/ssh-keyscan                                                           OK
usr/bin/sftp                                                                  OK
usr/bin/ssh-copy-id                                                           OK
usr/sbin/sshd                                                                 OK
usr/lib/ssh-keysign                                                           OK
usr/lib/sftp-server                                                           OK
usr/share/man/man1/scp.1.gz                                                   OK
usr/share/man/man1/ssh-agent.1.gz                                             OK
usr/share/man/man1/ssh-keygen.1.gz                                            OK
usr/share/man/man1/ssh-keyscan.1.gz                                           OK
usr/share/man/man1/sftp.1.gz                                                  OK
usr/share/man/man1/ssh-copy-id.1.gz                                           OK
usr/share/man/man1/ssh.1.gz                                                   OK
usr/share/man/man1/ssh-add.1.gz                                               OK
usr/share/man/man8/ssh-keysign.8.gz                                           OK
usr/share/man/man8/sshd.8.gz                                                  OK
usr/share/man/man8/sftp-server.8.gz                                           OK
usr/share/man/man5/ssh_config.5.gz                                            OK
usr/share/man/man5/sshd_config.5.gz                                           OK
usr/share/doc/ssh/README                                                      OK
usr/share/doc/ssh/changelog.gz                                                OK
usr/share/doc/ssh/copyright                                                   OK
usr/share/doc/ssh/RFC.gz                                                      OK
usr/share/doc/ssh/OVERVIEW.gz                                                 OK
usr/share/doc/ssh/README.Debian.gz                                            OK
usr/share/doc/ssh/changelog.Debian.gz                                         OK

Reply to:

Follow-Ups:
- Re: Probable SSH Vulnerability
  - From: erik@debian.franken.de (Erik Tews)
- Re: Probable SSH Vulnerability
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

References:
- Probable SSH Vulnerability
  - From: Tim Peeler <thp@linux00.LinuxForce.net>

Prev by Date: Re: Probable SSH Vulnerability
Next by Date: Re: Probable SSH Vulnerability
Previous by thread: Re: Probable SSH Vulnerability
Next by thread: Re: Probable SSH Vulnerability
Index(es):
- Date
- Thread