Hosting Provided By

Re: VDS FAQ - request for feedback

From: David W. Goodrum <dgoodrum(at)nfr.com>
Date: Wed Jan 29 2003 - 17:52:21 EST

It's interesting that you talk about commercial vendors eventually doing this type of detection. NFR already focuses a lot of it's current signatures on what you are terming as "VDS". For example, our SSH package watches for vulnerable versions of SSH. We have a number of other packages that perform similar activity. By watching for vulnerabilities (vs exploits), we detected the MS SQL slammer worm over the weekend, without updating any signatures.

I've included a sample SSH vulnerability alert below:

Alert Message:      ssh server on 10.0.1.7 vulnerable to
                     OpenSSH integer overflow
Source IP:          10.0.1.205
Destination IP:     10.0.1.7
Reason:             ssh server OpenSSH_3.1p1 vulnerable to
                     OpenSSH integer overflow

TECHNICAL INFORMATION
If ChallengeResponseAuthentication is enabled on an OpenSSH server, it will attempt to authenticate a user by sending a challenge and expecting a response. Due to an error in logic, a client can send a larger number of responses than the server expects, resulting in an integer overflow. Furthermore, an attacker can use this bug to cause the server to execute arbitrary code. Since this exchange happens before authentication, any remote client can exploit this bug. This bug is only exploitable in OpenSSH servers with versions 2.9.9 through 3.3 (inclusive).

OpenSSH servers with versions 2.3.1 through 3.3 (inclusive) are also vulnerable to the same bug in the PAMAuthenticationViaKbdInt code.

Privilege separation, which was introduced in OpenSSH 3.2, allows authentication code to be executed as an unprivileged user. Prior to this feature, authentication was executed as root. Privilege separation is enabled by default in OpenSSH 3.3 and prior releases. The severity of this vulnerability is largely based on which user executes authentication.

REFERENCES
OpenSSH Remote Challenge Vulnerability
http://www.openssh.org/txt/iss.adv
OpenSSH Security Advisory
http://www.openssh.org/txt/preauth.adv
sshd_config manpage
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config ScanSSH
http://www.monkey.org/~provos/scanssh/

David J. Meltzer wrote:
> For anyone not too overwhelmed with chasing the worm this week...

--

David W. Goodrum Senior Systems Engineer NFR Security Mobile: 703.731.3765 Office: 240.747.3425 Received on Fri Jan 31 11:21:49 2003

Do you need help?

This message: [ Message body ]
Next message: Lance Spitzner: "Re: Snort-Inline and worm containment"
Previous message: Paul Palmer: "Re: Active response... some thoughts."
In reply to: David J. Meltzer: "VDS FAQ - request for feedback"
Next in thread: David J. Meltzer: "RE: VDS FAQ - request for feedback"
Reply: David J. Meltzer: "RE: VDS FAQ - request for feedback"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT