Bugtraq mailing list archives
sshd exploit?
From: navindra () CS MCGILL CA (Navindra Umanee)
Date: Sat, 5 Sep 1998 19:55:50 -0400
Montreal Sat Sep 5 19:50:56 1998 [Aleph, please do filter out this post if it is old news, irrelevant or unsuitable in any way. I've searched the archives but haven't seen anything related.] A long while ago, users thorns and __fox started appearing on IRC with root idents from machines on which they obviously did not have root priviledges. It turned out that this was a side effect of ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the fact that sshd was running as root on the server. It seems to me that this could be exploitable. For example, one could: (1) forward a connection to the mail port on a public machine, ssh -L 1234:mailmachine:25 mailmachine sleep 100 (2) then connect to localhost:1234 and send mail that appears to be coming from root@mailmachine. While I realise that identd was never meant to be a proper form of authentication, many running rshd servers still rely on it and sshd's behavior may turn out to be rather problematic. For example, I don't see why one couldn't also forward rshd connections and hack the rlogin client to connect to arbitrary ports. One could then find an accessible machine with root in the .rhosts or hosts.equiv -- this is not as uncommon as one would think. Navin
Current thread:
- Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
- Re: sshd exploit? Seth David Schoen (Sep 06)
- Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
- Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
- Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
- Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
- Fw: Exploit for SCO. Leshka (Sep 10)
- Re: Fw: Exploit for SCO. John W. Temples (Sep 11)