Re: Probable SSH Vulnerability

To: Nick Boyce <nick@glimmer.demon.co.uk>
Cc: debian-security@lists.debian.org, Tim Peeler <thp@linux00.LinuxForce.net>
Subject: Re: Probable SSH Vulnerability
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 17 Jun 2003 21:34:32 +0200
Message-id: <[🔎] 877k7k7b1z.fsf@deneb.enyo.de>
Mail-followup-to: Nick Boyce <nick@glimmer.demon.co.uk>, debian-security@lists.debian.org, Tim Peeler <thp@linux00.LinuxForce.net>
In-reply-to: <[🔎] 8elsevg56tpitpe6gu823dbtj7kh4agbt3@4ax.com> (Nick Boyce's message of "Tue, 17 Jun 2003 01:30:39 +0100")
References: <[🔎] 20030613181844.GA23860@linux00.LinuxForce.net> <20030613171528.2df6d06c.david@eelf.ddts.net> <[🔎] 20030613215221.GA7327@linux00.LinuxForce.net> <[🔎] 9jvkevgo63r9rsrt8hvu9c0gprh8kembi7@4ax.com> <[🔎] 20030615031410.GB20920@linux00.LinuxForce.net> <[🔎] 877k7n3jv7.fsf@deneb.enyo.de> <[🔎] 8elsevg56tpitpe6gu823dbtj7kh4agbt3@4ax.com>

Nick Boyce <nick@glimmer.demon.co.uk> writes:

>>These attacks require wiretapping and traffic
>>manipulation capabilities.  
>
> I'd be interested if you could expand on this - do you mean a
> connection to the victim's LAN is necessary ?

LAN or WAN.  Actually, access to any transmission link suffices.

> I'd have thought ability to intercept WAN traffic was enough,

Correct, but wiretapping WANs is not exactly straightforward. 8-) You
will have a hard time doing it even if you've compromised some
intermediate router.  In a true WAN environment, scalable
eavesdropping requires access to the physical medium and special
eavesdropping cards for the machines that perform the eavesdropping.

You can't redirect traffic in a WAN setting just by ARP spoofing. 8-)

> And AIUI, traffic manipulation is a standard technique for a skilled
> Bad Guy (injecting packets, fiddling with packets, connection
> hijacking).

Yes, but the attacker usually shares the LAN with the victim host or
the other end of the communication.

> The sort of skill level required to perform a sequence number attack
> would do, wouldn't it ?

No, it wouldn't, IIRC, the SSH 1 protocol is not *that* weak.

> But someone's got to be the first to fall prey to each new technique -
> why not Tim ?

Because he noticed something, and he's so desperate that he's posting
publicly to debian-security. 8-)

If I had a new super-duper SSH exploit or could eavesdrop a WAN link,
I wouldn't risk burning it on low-profile targets.

Reply to:

Follow-Ups:
- Re: Probable SSH Vulnerability
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

References:
- Probable SSH Vulnerability
  - From: Tim Peeler <thp@linux00.LinuxForce.net>
- Re: Probable SSH Vulnerability
  - From: Tim Peeler <thp@linux00.LinuxForce.net>
- Re: Probable SSH Vulnerability
  - From: Nick Boyce <nick@glimmer.demon.co.uk>
- Re: Probable SSH Vulnerability
  - From: Tim Peeler <thp@linux00.LinuxForce.net>
- Re: Probable SSH Vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Probable SSH Vulnerability
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

Prev by Date: Re: Someone scanned my ssh daemon
Next by Date: Re: Probable SSH Vulnerability
Previous by thread: Re: Probable SSH Vulnerability
Next by thread: Re: Probable SSH Vulnerability
Index(es):
- Date
- Thread