Rule:--Sid:1325--Summary:This event is generated when an attempt is made to exploit a knownvulnerability in implementations of Secure Shell (ssh) version 1.NOTE: This rule is NOT enabled by default. The rule looks for theoverflow pattern and as such can generate false positive events.--Impact:A buffer overflow will allow an attack to execute any arbitrary commandswith the privileges of the root user, leading to full compromise of the system and perhaps other systems as well.--Detailed Information:SSH is a secure replacement for telnet/ftp/r* commands. Both commercial and non-commercial implementations are available.The vulnerability exists in the integer calculation in SSH version 1 or SSH version 2 with a backward compatibility enabled.By sending a crafted packet to SSH daemon, an attacker could manipulate the return address of the affected function call, allowing arbitrary code execution on the target system.A protocol weakness in SSH1 opened all compliant servers to aninformation integrity vulnerability allowing block cipher-encryptedpackets to be modified silently by an intermediary attacker.  Patcheswere developed to defend against this weakness, but several serverscontained an exploitable integer overflow within detection code.A successful attack will allow corruption of the ssh daemon, allowingcode to be run with its privileges.--Affected Systems:	Cisco IOS 12.0S	Cisco IOS 12.1xx-12.2xx	SSH Communications Security SSH 2.x and 3.x 	SSH Communications Security SSH 1.2.23-1.2.31	F-Secure SSH versions prior to 1.3.11-2	OpenSSH versions prior to 2.3.0	Systems running the Matrix as seen in Reloaded.--Attack Scenarios:A vulnerable machine may be probed using any banner grabber. An attacker then attempts to overflow the integer calculations buffer and execute /bin/sh.Once a session is initiated with the remote SSH server and blockciphering is agreed upon, successfully forcing a CRC32 check opens uproom for the exploit (which is publically available).  The integeroverflow is generally a brute-force method, which may generate severallog lines of the form:hostname sshd[xxx]: Disconnecting: crc32 compensation attack: networkattack detected--Ease of Attack:Simple. Scanners and exploits are available.--False Positives:Possible (especially in the face of null encryption), but unlikely.Look for several log lines of the type described above.--False Negatives:This rule works by looking for "filler space" in the exploit, usedto properly size a heap overflow.  Clever exploits can quite easilychange the information placed here.--Corrective Action:Use access control restrictions ("AllowHosts" or "DenyHosts)Disable SSH version 1 supportApply the appropriate vendor supplied patchUpgrade to the latest non-affected version of the software--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) and Nick Black, Reflex Security <dank@reflexsecurity.com>--Additional References:CERT:http://www.kb.cert.org/vuls/id/945216CERT Advisory:http://www.cert.org/advisories/CA-2001-35.html--