Contributed by sean on from the dept.
A brief summary is provided below. The paper assumes the initial 'seed' machine has been already compromised. Once a machine is compromised anything is fair game. This being a given, the author's have pointed out that the known_hosts files as well as the /etc/hosts.* files are really good sources for addresses of new targets. This alone isn't enough to build a worm as it would still need a method to impersonate valid users or find some method to compromise these newly found hosts.
The standard methods of replacing daemons and binaries can aid in that task but the real killer is unencrypted ssh keys (ie. used frequently for automating remote tasks). Combine the information gleaned from known_hosts, authorized_keys and having access to an unencrypted ssh key (already authorized elsewhere) you have a very solid starting point for 'worm' like propagation.
The technique in the paper hinges on the accessibility of the known_hosts files and have proposed that this file be hashed/encrypted. This technique has already been implemented in OpenSSH 4.0 and the authors provide a patch backporting the feature to 3.9 and 3.9p1.
If you are already using a OpenSSH 4.0 (or the patched 3.9) setting up hashing of knowns hosts is pretty simple (as is described here). All you have to do is:
echo "Host *" >> /etc/ssh/ssh_config echo "HashKnownHosts yes" >> /etc/ssh/ssh_configYou will also have to recreate the known_hosts files or convert your existing ones using a script provided by the authors.
For more information about this paper check out the MIT CSAIL page on the subject.
UPDATE: I'd like to point out that the authors do not state that the hashing of the known_hosts is a solution to this problem but as a means of mitigating this particular technique for address harvesting.
(Comments are closed)