SSH – THE ‘SECURE’ SHELL

2 3
2 0/ 1
/
08
SECURE WHAT.. ?
‘Secure shell is a de facto standard for remote logins and encrypted file
transfers.’ [SSH communications inc.]
Founded in 1995 by Tatu Ylonen, a researcher at Helsinki University of
Technology, Finland
It provides authentication and encryption for business critical applications to
work securely over the internet.
Originally introduced for UNIX terminals as a replacement for the insecure
remote access “Berkeley services" , viz. rsh, rlogin, rcp, telnet, etc.
It can also be used for port forwarding of arbitrary TCP/IP or X11
connections (interactive terminals)
It is a layer over TCP/IP and runs on the port 22.

2
WHY SSH?
The three core security requirements for a remote access technology –
confidentiality, integrity and authentication
Most of the earlier technologies lack confidentiality and integrity. For e.g
Telnet and FTP transmit username and passwords in cleartext.
They are vulnerable to attacks such as IP spoofing, DoS, MITM and
eavesdropping.
Secure shell satisfies all the three requirements by using:
 Data Encryption to provide confidentiality
 Host-based and (or) client-based authentication
 Data integrity using MACs and hashes

2 3
2 0/ 3
/
08
FLAVORS OF SSH
There are two incompatible versions of the SSH protocol: SSH-1 and SSH-2
SSH-2 was introduced in order to fix several bugs in SSH-1 and also
includes several new features
Both versions have technical glitches and are vulnerable to known attacks
(discussed later)
SSH-1 is more popular nowadays due to licensing issues with
SSH-2
OpenSSH is a free version of the SSH with open source code development.
It supports both the versions and mainly used in UNIX environment.

2 3
2 0/ 4
/
08
THE SSH-1 PROTOCOL EXCHANGE
Opens a TCP connection to port 22

SSH protocol version exchange

e.g ASCII :” SSH-1.5-1.2.27”

Server identification {H+S+list of ciphers and

authentication methods+cookie} + session
parameters
Client Server
Selected data cipher +encrypted session
key K(H,S) +cookie

Server acknowledgement encrypted

with K
Secure connection established!
Server authenticated

2 3
2 0/ H – host key ; S- Server Key ; cookie- sequence of 8 random bytes; K- session key 5
/
08
THE SSH-1 PROTOCOL EXCHANGE (CONTD.)

Once secure connection is established, client attempts to authenticate

itself to server.
Some of the authentication methods used are:
 Kerberos
 RHosts and RHostsRSA
 Public key
 Password based authentication (OTP)
Integrity checking is provided by means of a weak CRC -32
Compression is provided using the “deflate” algorithm of GNU gzip
utility. It is beneficial for file transfer utilities such as ftp, scp, etc.

2 3
2 0/ 6
/
08
THE SSH-2 PROTOCOL
SSH-1 is monolithic, encompassing multiple functions into a single
protocol whereas SSH-2 has been separated into modules and consists
of 3 protocols:
 SSH Transport layer protocol (SSH-TRANS) : Provides the initial
connection, packet protocol, server authentication and basic encryption and
integrity services.
 SSH Authentication protocol (SSH-AUTH) : Verifies the client’s identity
at the beginning of an SSH-2 session, by three authentication methods:
Public key, host based and password.
 SSH Connection protocol (SSH-CONN) : It permits a number of
different services to exchange data through the secure channel provided by
SSH-TRANS.
A fourth protocol SSH protocol architecture (SSH-ARCH) describes the
overall architecture.
All the protocols are still in the draft stage.

2 3
2 0/ 7
/
08
THE SSH-2 PROTOCOL (CONTD.)

Layering of SSH-2 Protocols

Password
Keyboard-
Interactive
Public- Pass- Challenge- Pseudo- TCP Port X11
Key Exchange key word Response Terminal Forwarding
(eg. Diffie- SSH-USERAUTH SSH-CONN
Hellman)
Authentication Protocol Connection Protocol
Algorithm
Negotiation Negotiated Compression Protocol
(compression,
encryption) Negotiated Encryption Protocol
SSH Version
Identification
Binary Packet Protocol

SSH-TRANS

TCP/IP

2 3
2 0/ 8
/ [Source: ‘Analysis of Secure shell vulnerability’ – white paper ]
08
SSH-1 VS SSH-2
SSH-2
Separate transport, authentication
and connection protocols
Strong cryptographic integrity
check
No server keys needed due to
Diffie Hellman Key exchange
Supports public key certificates
Algorithms used: DSA, DH, SHA-
1, MD5, 3DES, Blowfish, Twofish,
CAST-128, IDEA, ARCFOUR
Periodic replacement of session
keys
08/20/23
SSH-1
One monolithic protocol
Weak CRC-32 integrity check
Server key used for forward
secrecy on the session key
N/A
RSA, MD5, CRC-32, 3DES, IDEA,
ARCFOUR, DES
N/A
9
IS SSH REALLY SECURE?
Secure shell does counter certain types of attacks such as:
 Eavesdropping
 Name service and IP spoofing
 Connection hijacking
 MITM
 Insertion attack
However it fails against these attacks:
 Password cracking
 IP and TCP attacks
 SYN flooding
 TCP RST, bogus ICMP
 TCP desynchronization and hijacking
 Traffic analysis
 Covert channels

2 3
2 0/ 10
/
08
SOME KNOWN VULNERABILITIES IN
SSH
OpenSSH Challenge-Response Authentication Buffer Overflow: A hostile
modification to the SSH client floods the server with authentication responses and
causes a buffer overflow. [SSH-2]
Passive analysis of SSH traffic: It lets the attacker obtain sensitive information by
passively monitoring encrypted SSH sessions. The information can later be used
to speed up brute-force attacks on passwords, including the initial login password
and other passwords appearing in interactive SSH sessions. [SSH-1 & SSH-2]
Key recovery in SSH protocol 1.5 : This vulnerability may lead to the compromise of
the session key. Once the session key is determined, the attacker can proceed to
decrypt the stored session using any implementation of the crypto algorithm used.
This will reveal all information in an unencrypted form. [SSH-1]
CRC-32 integrity check vulnerability : It is based on the weakness of the CRC-32
integrity that becomes exploitable due to CBC and CFB feedback modes [SSH-1]

2 3
2 0/ 11
/
08
CASE STUDY : THE ‘GOBBLES’ EXPLOIT
Keyboard-InteractiveAuthentication
1.RequestAuth
entication

INFO_
R EQUEST
2.Sendprompts
“Passw ord:”
“Tok en:”
INFO_RES
PON
SE

“sesame”
3.Rec
eiveRe
sponses “01324587”

4.Author
izeConnectio
n

This exploits the weakness in the challenge-response authentication mechanism of

OpenSSH.
SSH_MSG_USERAUTH_REQUEST, SSH_MSG_USERAUTH_INFO_REQUEST ,
SSH_MSG_USERAUTH_INFO_RESPONSE

08/20/23 12
CASE STUDY : THE ‘GOBBLES’ EXPLOIT
(CONTD.)
Malicious Authentication Response
USERAUTH_INFO_REQUEST

nPrompts=2
1. Send prompts
Length=9 “Password:”
Length=6 “Token:”

USERAUTH_INFO_RESPONSE

nResponses = 1073741826
Length[1] Shellcode[1]
Response count designed to trigger
Length[2] Shellcode[2]
an integer overflow
… …
Length[n-1] Shellcode[n-1] Responses contain a malicious
Bad length Bad String “shellcode” command interpreter

Final response has an incorrect

length designed to trigger an error

Instead of sending the requested number of responses, the client sends a large integer
The server allocates memory for these response strings

08/20/23 13
CASE STUDY : THE ‘GOBBLES’ EXPLOIT
(CONTD.)
Malicious Integer-Based Overflow
USERAUTH_INFO_RESPONSE
The server calculates the amount of nResponses = 1073741826
space required for a table of 1073741826 Length[1] Shellcode[1]
pointers. Length[2] Shellcode[2]
… …
Length[n-1] Shellcode[n-1]
0x40000002 = 1073741826 nResponses Bad length Bad String
0100 0000 … 0000 0010 x 4 bytes/pointer

1 0000 0000 … 0000 1000 = 8 bytes

1-bit overflows and gets dropped. Array of String
The remaining bits form a small number. Pointers
Response Pointer[1] 8 bytes hold only
The server sets
Response Pointer[2] two pointers
aside space for
only a small Dynamically
number of pointers, Allocated Memory
due to the miscalculation Function Pointer Error Handler
caused by the overflow. Function Pointer Error Handler
Function Pointer Error Handler
Function Pointer Error Handler

08/20/23 14
CASE STUDY : THE ‘GOBBLES’ EXPLOIT
(CONTD.)
Smashing the Function Pointers
USERAUTH_INFO_RESPONSE

nResponses = 1073741826 The server starts to copy

Length[1] Shellcode[1] 1073741826 strings of hostile shellcode,
Length[2] Shellcode[2] and set a pointer for each string.
… …
Length[n-1] Shellcode[n-1] There is room for only
two pointers.
Bad length Bad String

Allocated Length Pointer[1] Shellcode

= 8 bytes Pointer[2] Shellcode
Eventually, the … Shellcode
pointers to hostile Array Overflow
Pointer[n-3] Shellcode
shellcode overwrite Function
Pointer[n-2]
Pointer Error Handler
Shellcode
Overwritten
the pointers to the Function Pointers Function
Pointer[n-1]
Pointer Error Handler
Shellcode
error handling
Function Pointer Error Handler
functions.
Function Pointer Error Handler

08/20/23 15
 CASE STUDY : THE ‘GOBBLES’
EXPLOIT (CONTD.)
Triggering the Hostile Shellcode
Hostile Shellcode Opens Attack
USERAUTH_INFO_RESPONSE
The shellcode that was originally sent as a
fake password isnResponses = 1073741826
now running commands
typed in by the attacker.
Length[1] Shellcode[1]
Length[2] Shellcode[2]
The server starts to copy a string with an
… … incorrect length, and notices the error.
Pointer[1]
Pointer[2] Length[n-1]Shellcode[n-1] The error is intended
…
Pointer[n-3] Bad length Bad String to trigger an error
Function Pointer
Pointer[n-2] Since the SSH server runs handler function.
Pointer[n-1]
Function Pointer Shellcode as root, the attacker’s
Function Pointer
Function Pointer
commands run with
super-user privileges. Allocated
Length Pointer[1] Shellcode
The server calls an = 8 bytes Pointer[2] Shellcode
error function via … Shellcode
Array Overflow
the table of function Pointer[n-3] Shellcode
pointers. Instead, it Overwritten Function
Pointer[n-2]
Pointer Error Handler
Shellcode
calls the shellcode Function Pointer Pointer[n-1]
Function Pointer Error Handler
Shellcode
via an overwritten to Error Handler Function Pointer Error Handler
pointer. Function Pointer Error Handler

2 3
2 0/ 16
/
08
 CASE STUDY : THE ‘GOBBLES’
EXPLOIT (CONTD.)
Hostile Shellcode Opens Attack
The shellcode that was originally sent as a
fake password is now running commands
typed in by the attacker.

Pointer[1]
Pointer[2]
…
Pointer[n-3]
Function Pointer
Pointer[n-2] Since the SSH server runs
Pointer[n-1]
Function Pointer Shellcode as root, the attacker’s
Function Pointer
Function Pointer
commands run with
super-user privileges.

2 3
2 0/ 17
/
08
SSH TOOLS
There are several commercial and freeware SSH tools for UNIX and
windows platforms
Windows –
 PuTTY
 TeraTerm
 SecureCRT
UNIX –
 The RedHat Linux package and OpenBSD come alongwith tools such as ssh,
sshd(daemon), scp(secure copy), sftp(secure ftp), etc.
 OpenSSH

2 3
2 0/ 18
/
08
BIBILIOGRAPHY
[1] ‘Securing remote connections with SSH’ – a white paper by SSH
communications Security corp.
[2] Red Hat tutorials – Chapter 10 SSH :
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-g
uide/ch-ssh.html
[3] SSH tools - http://bach.dynet.com/sshtools/
[4] ’Firewalling a Secure Shell Service’ – a white paper
http://www.esat.kuleuven.ac.be/~joclaess/pub/ceci2001.pdf
[5] Cisco Security Advisory: Multiple SSH Vulnerabilities
–http://www.cisco.com/warp/public/707/SSH-multiple- pub.html
[6] SSH -The Secure Shell :The definitive guide Daniel Barrett &
Richard E. Silvermann (O’Reilly publications)
[7] ‘Analysis of a Secure Shell vulnerability’ - James M. Mike Anthis
A white paper
2 3
2 0/ 19
/
08