Last H.O.P.E and Tackling the Debian OpenSSL Issue

Well I’m back from my trip to New York and I’ve brought back a couple of things.

With the most tracks HOPE has ever had I was truly spoilt for choice but I spent most of my time [when I wasn't showing our US friends how drinking should be done] visiting talks that had potential datacenter impact.

Kevin Figueroa, Marco Figueroa and Anthony L. Williams reminded me that VLAN’s and other layer 2 stuff is still vulnerable to many attacks. Most are just Denial of Service stuff that would be detected almost instantly and very easily fixed (although not easily preventable) but the cross VLAN packet injection / snooping made me rethink some of my installations that packet injection / snooping would not be a critical issue but might not be desirable. Bare in mind though that in order to attack layer 2 someone needs to own a box on my layer 2 infrastructure which is much more of an issue!

The demonstration that stuck with me the most was Jacob Appelbaum, Dino Dai Zovi and Karsten Nohl’s talk regarding the Debian OpenSSL catastrophe. When I first heard about it there was much smugness (being as I only use Red Hat Enterprise / CentOS and FreeBSD) My fellow SysAdmins and I had many hours of fun reminding our collegues who had chosen Debian as their Distro of choice of this ‘little’ bug.

Unfortunately our smugness was shortlived as these Debian keys can end up in a RedHat servers authorised_keys file which results in that server being vulnerable to Brute Forcing. Knowing how lazy people are and how widespread the careless use of root is there was likely to be a few machines out there just waiting to get rooted.

The majority of tools (asides from the official Debian tools) are designed for discovering vulnerable servers that don’t belong to you! The Debian tool is great unless for one reason or another you don’t / can’t have Perl installed.

Therefore I present to you another hacked together bash script that anyone could have put together in 5 minutes but maybe this’ll save someone the hassle.


#!/bin/bash
#--------------------------------------
# Looks for fscking debian client keys
# Gareth#NetworksAreMadeOfString.co.uk
#--------------------------------------

for KeysFile in `locate authorized_keys`; do
  echo
  echo Testing $KeysFile for weak keys
  echo -------------------------------------------------

  cat $KeysFile | while read line; do

   echo $line > pubkey.tmp

   RawFP=`ssh-keygen -l -f pubkey.tmp | awk '{print $2}'`

   FP=${RawFP//:/}

   MatchCount=`grep -c $FP FingerPrints.db`

   if [ $MatchCount -gt 0 ]; then
   echo -e '\E[40;31m'"\033[1m!!!!! WEAK KEY FOUND!!!!!!\033[0m"
   echo $line
   fi
   done
  done
 echo
 echo ------------- DONE -------------

The FingerPrints.db file can be found here

Hopefully you’ll find vulnerable user accounts before someone else does!

Posted in Datacenter, Networks, Systems
One comment on “Last H.O.P.E and Tackling the Debian OpenSSL Issue
  1. Nice one Gareth! Shame on me for actually finding a weak key on one of my servers!

    Here’s a shameless plug for a post of mine which is a bit pertinent: http://northernmost.org/blog/pam_shield-succeeding-blockhostspy/ (blocking SSH brute forcing).

Leave a Reply