Bugtraq mailing list archives
Re: SSH LocalForward
From: sevo () inm de (Sevo Stille)
Date: Sun, 3 Aug 1997 01:03:25 +0200
Von: Kristof Van Damme <aeneas () sesuadra org> ... I bumped into a weird 'feature' of ssh 1.2.20. When I run: ... the port must be available). When I connect to it I get a normal redirection to remotehost:80 over the secure channel. This means however that a non-root user is able to open privileged ports on the localhost and redirect them. Is this normal? I checked it on Linux and Solaris.
From a quick glance across the source, ssh rejects attempts to forward privileged
ports for non-root users while parsing the command line arguments - the config file is read further down in the code, without performing a similar test. The immediate fix is chmod -s (which will get rid of potential similar holes in ssh as well...) - the more reasonable method is to move the check into add_local_forward(): --- readconf.c Sun Aug 3 00:55:40 1997 +++ readconf.c.orig Sun Aug 3 00:57:21 1997 @@ -204,11 +204,6 @@ Forward *fwd; if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); - if (port < 1024 && original_real_uid != UID_ROOT) - { - fatal("Privileged ports can only be forwarded by root.\n"); - exit(1); - } fwd = &options->local_forwards[options->num_local_forwards++]; fwd->port = port; fwd->host = xstrdup(host); Sevo
Current thread:
- Re: SSH LocalForward Sevo Stille (Aug 02)
- <Possible follow-ups>
- Re: SSH LocalForward Sevo Stille (Aug 03)
- Re: SSH LocalForward long-morrow () CS YALE EDU (Aug 03)
- Re: SSH LocalForward Kyle Amon (Aug 04)
- Netscape Referer header considered harmful? Ronald L. Parker (Aug 04)
- Re: Netscape Referer header considered harmful? Eric Murray (Aug 06)
- Re: SSH LocalForward Bryan Andregg (Aug 05)
- SGI Security Advisory 19970509-02-PX - IRIX ordist Buffer Overrun SGI Security Coordinator (Aug 05)
- IMAPd scans Steve Herman (Aug 06)
- XFREE86 can block reserved ports Willy TARREAU (Aug 06)
- Re: XFREE86 can block reserved ports Alex Belits (Aug 06)
- Re: SSH LocalForward Kyle Amon (Aug 04)