Bugtraq mailing list archives

Re: sshd exploit?

From: schoen () UCLINK4 BERKELEY EDU (Seth David Schoen)
Date: Sun, 6 Sep 1998 00:06:16 -0700


Navindra Umanee writes:

... ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the
fact that sshd was running as root on the server.

ssh -L 1234:mailmachine:25 mailmachine sleep 100

(2) then connect to localhost:1234 and send mail that appears to be
    coming from root@mailmachine.


Indeed, this is a cute new way of forging mail and confusing the logs
somewhat.  MTA logging could probably be extended in various ways to detect
this, if it seemed necessary.

While I realise that identd was never meant to be a proper form of
authentication, many running rshd servers still rely on it and sshd's
behavior may turn out to be rather problematic.

For example, I don't see why one couldn't also forward rshd
connections and hack the rlogin client to connect to arbitrary ports.
One could then find an accessible machine with root in the .rhosts or
hosts.equiv -- this is not as uncommon as one would think.


No matter which way you use ssh port forwarding, you will never manage to
get a privileged source port, so rshd will not trust host-based
authentication information.

ssh -L 1234:foo:513 foo sleep 100
    doesn't make the connections sshd on foo initiates to foo have a privileged
    source port, so foo's rlogind won't trust them

ssh -R 513:foo:1234 foo sleep 100
    doesn't make the connections ssh on localhost initiates to localhost have a
    privileged source port, so localhost's rlogind won't trust them

identd's confusion over ssh tunnels is problematic just for logging purposes,
but the rsh/rlogin specification does supposedly insist on privileged source
ports, with which the current ssh/sshd do the right thing.

In the current FreeBSD rshd, for instance,

                if (fromp->sin_port >= IPPORT_RESERVED ||
                    fromp->sin_port < IPPORT_RESERVED/2) {
                        syslog(LOG_NOTICE|LOG_AUTH,
                            "connection from %s on illegal port %u",
...

An rshd which takes the shortcut of relying on identd would be exploitable,
but I have never seen one.  Since identd is not running on all hosts, it is
really not advisable to rely on it in place of privileged/unprivileged port
checking.

--
   Seth David Schoen L&S '01 (undeclared) / schoen () uclink4 berkeley edu
Magna dis immortalibus habenda est atque huic ipsi Iovi Statori, antiquissimo
custodi huius urbis, gratia, quod hanc tam taetram, tam horribilem tamque
infestam rei publicae pestem totiens iam effugimus.  -- Cicero, in Catilinam I

Current thread:

Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
  - Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
  - Re: sshd exploit? Seth David Schoen (Sep 06)
  - Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
    - Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
    - Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
  - Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
  - Fw: Exploit for SCO. Leshka (Sep 10)
    - Re: Fw: Exploit for SCO. John W. Temples (Sep 11)
  - ISS Vulnerability Alert: Windows Backdoors Update X-Force (Sep 10)

(Thread continues...)