Bugtraq: SSH Vulnerability Scan (and ScanSSH tool)

From:   Niels Provos 
Subject:        SSH Vulnerability Scan
Date:   03 Dec 2001 15:53:22 -0500      
SSH Vulnerability Scan
Vulnerability to CRC32 compensation attack detector exploit

In February 2001, Razor Bindview released their "Remote vulnerability
in SSH daemon crc32 compensation attack detector" advisory, which
outlined a gaping hole in deployed SSH servers that can lead to a
remote attacker gaining privileged access:


In November 2001, Dave Dittrich published a detailed analysis of the
"CRC32 compensation attack detector exploit."  This exploit is
currently widely in use.  CERT released Incident Note IN-2001-12:


At the Center for Information Technology Integration, Niels Provos and
Peter Honeyman have been scanning the University of Michigan for
vulnerable SSH server software to identify and update vulnerable SSH


However, scans of the Internet show that system and security
administrators must react and update their SSH servers:


At this writing, over 30% of all SSH servers appear to have the
CRC32 bug.
A simple solution is to remove support for Version One of the SSH
protocol.  The majority of servers on the Internet support the SSH v2

To test whether your network has vulnerable SSH servers, you might
use the ScanSSH tool:


"ScanSSH - Scanning the Internet for SSH Servers",
  Niels Provos and Peter Honeyman, 16th USENIX Systems Administration
  Conference (LISA). San Diego, CA, December 2001.
This information is also available at


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis