Debian OpenSSL

This is a compilation of my notes on this matter

Links

• http://www.debian.org/security/2008/dsa-1576
• http://www.debian.org/security/key-rollover/
• http://metasploit.com/users/hdm/tools/debian-openssl/
• http://www.milw0rm.com/exploits/5622
• http://www.yobi.be/files/blacklist.RSA-1024 32-bit Intel platform

misc

• http://www.nabble.com/blacklist.RSA-1024-missing--td17258799.html

OpenSSH

Blacklists

• Current official blacklists cover RSA-2048 and DSA-1024 keys as generated on 32-bit little-endian, 64-bit little-endian and 32-bit big-endian systems
• Version Including 4096bit RSA fingerprints: http://love.hole.fi/atte/openssh-blacklist/openssh-blacklist_0.1.2_all.deb
• debian_ssh_scan_v3.tar.bz2 now including DSA 1024, RSA 2048 and RSA 4096 bit keys. Check tool dusplays also PID so very easy to generate the corresponding key.
• http://www.red-bean.com/~maxb/ contains also RSA-1024 and RSA-1023 but not all archs, to be converted:

cat $1 | sed 's/^............//' | sort > blacklist.$(echo $1|cut -c 1-8|tr a-z A-Z)

Check

Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe

On Lenny/Sid, you can extract the Etch /etc/ssh/blacklist* and /usr/bin/ssh-vulnkey and use them

To checks all my vservers I did this [{{#file: ssh-myvuln.sh}} little script]:

#!/bin/bash


function filter () {
    sed 's/\(Not blacklisted: \)/\1                   /;
         s/\(COMPROMISED: \)/\1                       /;
         s/222$/.broken/;
	 '
}

function scan () {
    #echo $1
    ssh-vulnkey $1 | filter
}

function checkpath () {
    mypath="$1"
    echo "===== server keys at $mypath ====="
    for i in $(ls ${mypath}etc/ssh/*_key 2>/dev/null); do scan $i; done
    echo "===== discarded broken server keys at $mypath ====="
    for i in $(ls ${mypath}etc/ssh/*_key.pub.broken 2>/dev/null); do cp $i ${i%%.broken}222; scan ${i%%.broken}222; rm ${i%%.broken}222; done
    echo "===== client keys at $mypath ====="
    for i in $(ls ${mypath}root/.ssh/id* 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}home/*/.ssh/id* 2>/dev/null); do scan $i; done
    for v in $(ls ${mypath}etc/passwd 2>/dev/null); do 
        for u in $(cat $v|awk -F: '{print $6}'|sort|uniq|egrep -v "^(/root|/home/[a-z0-9]*)$"|sed 's#^/##'); do
            for i in $(ls ${v%%etc/passwd}${u}/.ssh/id* 2>/dev/null); do scan $i; done
        done
    done
    echo "===== authorized external client keys at $mypath ====="
    for i in $(ls ${mypath}root/.ssh/*_keys* 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}home/*/.ssh/*_keys* 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}var/lib/backuppc/.ssh/*_keys* 2>/dev/null); do scan $i; done
    echo "===== known external server keys at $mypath ====="
    for i in $(ls ${mypath}etc/ssh/known_hosts 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}root/.ssh/known_hosts 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}home/*/.ssh/known_hosts 2>/dev/null); do scan $i; done
    for i in $(ls ${mypath}var/lib/backuppc/.ssh/known_hosts 2>/dev/null); do scan $i; done
}

checkpath "/"
checkpath "/home/vservers/*/"

To get a resume sortable on the fingerprint:

ssh-myvuln.sh |grep ":..:..:"|sed 's/\(.\).* \(..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..\) \(.*\)/\2 \1 hostname:\3/'|sort > mykeys

To get a list to check against a blacklist:

cat mykeys |cut -c 19,20,22,23,25,26,28,29,31,32,34,35,37,38,40,41,43,44,46,47|sort|uniq > myfing
cat myfing blacklist | sort | uniq -d

Scan

[{{#file: dowkd.pl.patch}} Patch] for fetching keys from /etc/ssh/blacklist*

--- dowkd.pl   2008-05-16 16:00:53.000000000 +0200
+++ dowkd.pl   2008-05-16 15:55:23.000000000 +0200
@@ -47,19 +47,29 @@
 my $db;
 my %db;
 
+my $blacklistdir='/etc/ssh';
+
 sub create_db () {
     $db = tie %db, 'DB_File', $db_file, O_RDWR | O_CREAT, 0777, $DB_BTREE
        or die "error: could not open database: $!\n";
 
     $db{''} = $db_version;
-    while (my $line = <DATA>) {
-       next if $line =~ /^\**$/;
-       chomp $line;
-       $line =~ /^[0-9a-f]{32}$/ or die "error: invalid data line";
-       $line =~ s/(..)/chr(hex($1))/ge;
-       $db{$line} = '';
+    opendir(my $dh, $blacklistdir) or die "Cannot open dir $blacklistdir : $!\n";
+    while(my $e=readdir($dh)) {
+       next if $e =~ m/^\.\.?$/;
+       next unless $e =~ m/^blacklist/;
+print STDERR "Reading $e\n";
+       open (my $fh, $blacklistdir.'/'.$e) or die "Cannot open file $e : $!\n";
+       while (my $line = <$fh>) {
+           next if $line =~ /^\**$/;
+           next if $line =~ /^#/;
+           chomp $line;
+           $line =~ /^[0-9a-f]{20}$/ or die "error: invalid data line";
+#print STDERR "Line= $line\n";
+           $line =~ s/(..)/chr(hex($1))/ge;
+           $db{$line} = '';
+       }
     }
-
     $db->sync;
 }
 
@@ -106,6 +116,7 @@
 sub check_hash ($$) {
     my ($name, $hash) = @_;
     ++$keys_found;
+    $hash =~ s/^......//;
     if (exists $db{$hash}) {
        ++$keys_vulnerable;
        print "$name: weak key\n";

for ip in $(netenum 85.17.183.154/27); do ./dowkd.pl host $ip; done

Renew server keys

mv /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.broken
mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key.pub.broken
mv /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.broken
mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.broken
dpkg-reconfigure openssh-server
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

Generate vuln keys & blacklists

To generate yourself the vulnerable key set:

wget http://sugar.metasploit.com/ubunturoot.tar.bz2
wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh

Put dokeygen.sh in the root of the ubuntu filesystem Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)

sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do 
  echo $i;
  /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; 
done

Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian

Then to extract the fingerprints to make the blacklist

for ((i=1;i<32768;i++)); do 
  if [ -e rsa_1024_$i ]; then
    echo $i;
    f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') 
    mv rsa_1024_$i $f-$i 
    mv rsa_1024_$i.pub $f-$i.pub 
    echo $f |sed 's/^............//'>> blacklist.RSA-1024 
  fi 
done

Exploiting a vuln key:
Example of a fingerprint found in an authorized_keys file:

ssh -i 491f487168134647f111a882c8a04059-21223 bibi@hostname
bibi@hostname:~$

OpenSSL

wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
tar xzf openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
cd openssl-blacklist-0.1
Edit debian/control and cleans the dependence on openssl for Ubuntu
fakeroot debian/rules binary
cd ..
sudo dpkg -i openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb

Now you have openssl-vulnkey tool

OpenVPN

It's not about the SSL keys, those can be checked with openssl-vulnkey.
It's about the shared static keys (openvpn -genkey)

wget https://launchpad.net/ubuntu/hardy/+source/openvpn-blacklist/0.1-0ubuntu0.8.04.1/+files/openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
tar xzf openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
cd openvpn-blacklist-0.1
fakeroot debian/rules binary
cd ..
sudo dpkg -i openvpn-blacklist_0.1-0ubuntu0.8.04.1_all.deb

Now you have openvpn-vulnkey tool

Others

• encfs
  • My key is older, ouf!

Status

• zeus
• hera
• themis
• olympe
• mercure
• venus