Bugtraq mailing list archives
Re: sshd exploit?
From: schoen () UCLINK4 BERKELEY EDU (Seth David Schoen)
Date: Sun, 6 Sep 1998 00:06:16 -0700
Navindra Umanee writes:
... ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the fact that sshd was running as root on the server. ssh -L 1234:mailmachine:25 mailmachine sleep 100 (2) then connect to localhost:1234 and send mail that appears to be coming from root@mailmachine.
Indeed, this is a cute new way of forging mail and confusing the logs somewhat. MTA logging could probably be extended in various ways to detect this, if it seemed necessary.
While I realise that identd was never meant to be a proper form of authentication, many running rshd servers still rely on it and sshd's behavior may turn out to be rather problematic. For example, I don't see why one couldn't also forward rshd connections and hack the rlogin client to connect to arbitrary ports. One could then find an accessible machine with root in the .rhosts or hosts.equiv -- this is not as uncommon as one would think.
No matter which way you use ssh port forwarding, you will never manage to get a privileged source port, so rshd will not trust host-based authentication information. ssh -L 1234:foo:513 foo sleep 100 doesn't make the connections sshd on foo initiates to foo have a privileged source port, so foo's rlogind won't trust them ssh -R 513:foo:1234 foo sleep 100 doesn't make the connections ssh on localhost initiates to localhost have a privileged source port, so localhost's rlogind won't trust them identd's confusion over ssh tunnels is problematic just for logging purposes, but the rsh/rlogin specification does supposedly insist on privileged source ports, with which the current ssh/sshd do the right thing. In the current FreeBSD rshd, for instance, if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "connection from %s on illegal port %u", ... An rshd which takes the shortcut of relying on identd would be exploitable, but I have never seen one. Since identd is not running on all hosts, it is really not advisable to rely on it in place of privileged/unprivileged port checking. -- Seth David Schoen L&S '01 (undeclared) / schoen () uclink4 berkeley edu Magna dis immortalibus habenda est atque huic ipsi Iovi Statori, antiquissimo custodi huius urbis, gratia, quod hanc tam taetram, tam horribilem tamque infestam rei publicae pestem totiens iam effugimus. -- Cicero, in Catilinam I
Current thread:
- Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
- Re: sshd exploit? Seth David Schoen (Sep 06)
- Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
- Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
- Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
- Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
- Fw: Exploit for SCO. Leshka (Sep 10)
- Re: Fw: Exploit for SCO. John W. Temples (Sep 11)
- ISS Vulnerability Alert: Windows Backdoors Update X-Force (Sep 10)