phrack/phrack59/11.txt

290 lines
12 KiB
Plaintext

==Phrack Inc.==
Volume 0x0b, Issue 0x3b, Phile #0x0b of 0x12
|=-----------------=[ It cuts like a knife. SSHarp. ]=-------------------=|
|=-----------------------------------------------------------------------=|
|=----------------=[ stealth <stealth@segfault.net> ]=------------------=|
--[ Contents
- Intoduction
1 - Playing with the banner
2 - Playing with the keys
3 - Countermeasures
4 - An Implementation
5 - Discussion
6 - Acknowledgments
7 - References
--[ Introduction
The Secure Shell (SSH) protocol which itself is considered strong is often
weakly implemented. Especially the SSH1/SSH2 interoperability as
implemented in most SSH clients suffers from certain weak points as
described below. Additionally the SSH2 protocol itself is also flexible
enough to contain some interesting parts for attackers.
For disclaimer see the pdf-version of this article available [here].
The described mim-program will be made available one week after releasing
this article to give vendors time for fixes (which are rather trivial) to
limit the possibility of abuse.
In this article I will describe how SSH clients can be tricked into
thinking they are missing the host-key for the host they connected to even
though they already have it in their list of known hosts. This is possible
due to some points in the SSH drafts which makes life of SSH developers
harder but which was ment to offer special protection or more flexibility.
I assume you have a basic understanding of how SSH works. However it is
not necessary to understand it all in detail because the attacks succeeds
in the handshake where only a few packets have been exchanged. I also
assume you are familiar with the common attacking scenarios in networks
like Man in the Middle attacks, hijacking attacks against plaintext
protocols, replay attacks and so on.
--[ 1 - Playing with the banner
The SSH draft demands that both, client and server, exchange a banner
before negotiating the key used for encrypting the communication channel.
This is indeed needed for both sides to see which version of the protocol
they have to speak. A banner commonly looks like
SSH-1.99-OpenSSH_2.2.0p1
A client obtaining such a banner reads this as "speak SSH1 or SSH2 to me".
This is due to the "1" after the dash, the so called remote major version.
It allows the client to choose SSH1 for key negotiation and further
encryption. However it is also possible for the client to continue with
SSH2 packets as the "99" tells him which is also called the remote minor
version. (It is a convention that a remote-minor version of 99 with a
remote-major version of 1 means both protocols.)
Depending on the clients configuration files and command-line options he
decides to choose one of both protocols. Assuming the user does not force a
protocol with either of the "-1" or "-2" switch most clients should behave
the same way. This is due to the configuration files which do not differ
that much across the various SSH vendors and often contain the line
Protocol 1,2
which makes the client choose SSH protocol version 1. It is obvious what
follows now. Since the SSH client used to use SSH1 to talk to the server it
is likely that he never spoke SSH2 before. This may be exploited by
attackers to prompt a banner like
SSH-2.00-TESO-SSH
to the client. The client looks up his database of known hosts and misses
the host-key because it only finds the SSH1 key of the server which does
not help much because according to the banner he is not allowed to speak
SSH1 anymore (since the remote major version number is 2). Instead of
presenting a warning like
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
f3:cd:d9:fa:c4:c8:b2:3b:68:c5:38:4e:d4:b1:42:4f.
Please contact your system administrator.
if someone tries MiM attacks against it without the banner-hack, it asks
the user to just accept the new key:
Enabling compatibility mode for protocol 2.0
The authenticity of host 'lucifer (192.168.0.2)' can't be established.
DSA key fingerprint is ab:8a:18:15:67:04:18:34:ec:c9:ee:9b:89:b0:da:e6.
Are you sure you want to continue connecting (yes/no)?
It is much easier now for the user to type "yes" instead of editing the
known_hosts file and restarting the SSH client. Once accepted, the
attackers SSH server would record the login and password and would forward
the SSH connection so the user does not notice his account was just
compromised.
The described attack is not just an upgrade attack. It also works to
downgrade SSH2 speaking clients to SSH1. If the banner would contain "2.0"
the client only spoke SSH2 to the original server and usually can not know
the SSH1 key of the server because he does not speak SSH1 at all. However
our MiM server speaks SSH1 and prompts the client once again with a key he
cannot know.
This attack will not work for clients which just support one protocol
(likely to be SSH1) because they only implement one of them. These clients
should be very seldom and most if not all SSH clients support both
versions, indeed it is even a marketing-pusher to support both versions.
If the client uses RSA authentication there is no way for the attacker to
get in between since he cannot use the RSA challenges presented to him by
the server because he is talking a different protocol to the client. In
other words, the attacker is never speaking the same version of the
protocol to both parties and thus cannot forward or intercept RSA
authentication.
A sample MiM program (ssharp) which mounts the banner-hack and records
logins can be found at [ssharp].
--[ 2 - Playing with the keys
It would be nice to have a similar attack against SSH without a version
switch. This is because the version switch makes it impossible to break the
RSA authentication.
Reading the SSH2 draft shows that SSH2 does not use the host-key for
encryption anymore (as with SSH1 where the host and server-key was sent to
the client which sent back the session-key encrypted with these keys).
Instead the client obtains the host-key to check whether any of the
exchanged packets have been tampered with by comparing the server sent MAC
(Message Authentication Code; the server computes a hash of the packets
exchanged and signs it using the negotiated algorithm) with his own
computed hash. The SSH2 draft is flexible enough to offer more than just
one static algorithm to allow MAC computation. Rather it specifies that
during key exchange the client and the server exchange a list of preferred
algorithms they use to ensure packet integrity. Commonly DSA and RSA are
used:
stealth@liane:~> telnet 192.168.0.2 22
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.2.0p1
SSH-2.0-client
`$es??%9?2?4D=?)??ydiffie-hellman-group1-sha1ssh-dss...
I deleted a lot of characters and replaced it with "..." because the
interesting part is the "ssh-dss" which denotes the servers favorite
algorithm used for MAC computation. Clients connecting to 192.168.0.2
cannot have a RSA key for computation because the server does not have one!
Of course the attackers MiM program has a RSA key and offers only RSA to
ensure integrity:
stealth@liane:~> telnet 192.168.0.2 22
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
SSH-2.0-OpenSSH_2.9p1
SSH-2.0-client
at s?eu??>vM??E=diffie-hellman-group-exchange-sha1,
diffie-hellman-group1-sha1ssh-rsa...
A SSH client connecting to our MiM server will once again prompt the user
to accept the new key instead of issuing the MiM warning.
The MiM server connected to the original server and got to know that he
is using DSA. He then decided to face the user with a RSA key. If the
original server offers DSA and RSA the MiM server will wait until the
client sends his preferred algorithms and will choose an algorithm the
client is naming for his second choice. A RFC compliant SSH2 server has to
choose the first algorithm he is supporting from the client list, our MiM
server will choose the next one and thus produces a key-miss on
client-side. This will again produce a yes/no prompt instead of the warning
message. "ssharp" also supports this key-hack mode.
--[ 3 - Countermeasures
Having the RSA host-key for a server offering a DSA host-key means nothing
for todays clients. They ignore the fact that they have a valid host-key
for that host but in a different key-type. SSH clients should also issue
the MiM warning if they find host-keys for the server where either the
version or type does not match. Its very likely someone in playing MiM
games. In my eyes it is definitely a bug in the SSH client software.
--[ 4 - An Implementation
There already exist some MiM implementations for SSH1 such as [dsniff] or
[ettercap]. Usually they understand the SSH protocol and put much effort
into packet assembling and reassembling or forwarding. Things are much
simpler. ssharp is based on a normal OpenSSH daemon which was modified to
accept any login/password pair and starts a special shell for these
connections: a SSH client which is given the username/password and the real
destination IP. It logs into the remote host without user-interaction and
since it is bound to the mim servers pty it looks for the user like he
enters his normal shell. This way it is not needed to mess with SSH1 or
SSH2 protocol or to replace keys etc. We just play with the banner or the
signature algorithm negotiation the way described above.
If compiled with USE_MSS option enabled, ssharp will slip the SSH client
through a screen-like session which allows attaching of third parties to
existing (mimed) SSH1 or SSH2 connections. It is also possible to kick out
the legitimate user and completely take control over the session.
--[ 5 - Discussion
I know I know; a lot of people will ask "thats all?" now. As with every
discovery plenty of folks will claim that this is "standard UNIX semantics"
or it is feature and not a bug or that the vulnerability is completely
Theo...cal. Neither of them is the case here, and the folks only looking
for weaknesses in the crypto-algorithms such as key-stream-reuse and
possibilities to inject 2^64 ;-) adaptive choosen plain-texts will
hopefully acknowledge that crypto-analysis in 2002 welcomes laziness and
misunderstanding of drafs on board. Laziness already broke Enigma, but next
years will show how much impact it has when people are not able to
completely understand protocols or put too much trust in crypto and do not
think about the impact of violating the simple MUST in section
1.1.70.3.3.1.9.78. of the super-crypto draft.
--[ 6 - Acknowledgments
Folks from the segfault dot net consortium ;-) for discussing and offering
test environments. If you like to donate some hardware or money to these
folks let me know. It would definitely help to let continue research on
this and similar topics.
Also thanks to various other folks for discussing SSH with me.
This article is also available [here] as pdf paper with some screen-shots
to demonstrate the power of ssharp.
--[ 7. References
[dsniff] as far as I know the first SSH1 MiM implementation "monkey in the
middle" part of dsniff package.
http://www.monkey.org/~dugsong/dsniff
[ettercap] good sniffer/mim combo program for lazy hackers ;-)
http://ettercap.sourceforge.net
[ssharp] an implementation of the attacks described in this article
http://stealth.7350.org/7350ssharp.tgz
[here] this article as pdf with screenshots
http://stealth.7350.org/ssharp.pdf
|=[ EOF ]=---------------------------------------------------------------=|