[Full-disclosure] Identify weak Debian OpenSSL clients in SSH DH key exchange
a.klink at cynops.de
Sat May 24 09:36:15 BST 2008
Everybody keeps talking about changing your keys and updating OpenSSL,
but this is not the only issue with the Debian/OpenSSL debacle. Consider
that someone has sniffed your SSH traffic (say at a securit conference?).
If either a compromised server or client were involved, you have got
a problem as the Diffie-Hellmann key exchange at the start of the
SSH session can now be broken. This means that all the data (passwords,
SSH tunnel anyone?) can now be considered compromised if you are
I've written a script that helps you to identify these weak Diffie-Hellmann
key exchanges in an SSH session and released it at EuSecWest 2008.
The script reads in a PCAP file, looks at the group parameters sent by
the server and at the g^x sent by the client and tries to solve the
discrete logarithm by doing test-exponentiations with the 2^16 x's that
are/were available on a vulnerable Debian system.
As for vulnerable servers, the 2^16 are not enough as they keep on
running and generate new pseudo-random numbers (generated from the one
predictable seed, though). A version that is still to come will use
a database of precomputed exponentiations to check the files thus being
a lot faster. This would allow us to compute the exponentiations for say
the first few thousand iterations for each PID, too (I wonder which
value would be enough here?) ...
I guess it would be useful if the script could decrypt the SSH session
if it has found a hit and save it in a new PCAP file, but unfortunately
the crazy german laws do not allow me to write/publish something like
this. If you live in a country with better laws and can write/publish a
patch, that would be good ...
You can find the script at
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink at cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
Full-Disclosure is hosted and sponsored by Secunia.