Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [VulnWatch] SSHD / AnonCVS Nastyness

From: "Jay D. Dyson" <jdyson () bugtraq org>
Date: Fri, 3 Sep 2004 15:14:45 -0400
Good to see w00w00 full disclosure in effect once again. 

Special thanks to David Maynor for being a creepy stalker type. 


On Wed, Sep 01, 2004 at 07:36:36PM -0700, Dragos Ruiu wrote:

SSHD / AnonCVS Port Bouncing Nastyness

Advisory URL: http://pacsec.jp/advisories.html

Summary:
--------
Sites with default SSHD configs and anonymous CVS
or other "public" access are vulnerable to port bounce attacks.

Details:
--------
SSHD defaults to AllowTcpForwarding "yes" in /etc/ssh/sshd_config.
I'm told there are some good reasons for keeping this like that.
Normally this is not an issue because you have to authenticate
and log in to enable the port forwarding.

However this allows some fairly evil port bouncing misbehaviour,
after authentication when combined with anonymous access.
This could be an issue for any site with a "well known" login
credentials like "anoncvs", or become a potential problem
for other no-shell type logins for ssh services.

The most commonly available such service is AnonCVS repositories.
(Some repositories like the OpenBSD cvs servers have been notified
and have now reconfigured their systems to avoid issues with this.)

So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".

Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.

(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)

Fix:

echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config


Systems Affected:

- All recent versions of OpenSSH that have publicly acessible connections.
- Any other SSH Daemon that supports tcp port forwarding.

Credits:

- Johan Beisser <jan () caustic org> discovered the issue and wants
  to give shit to the people who ignored it when he mentioned it to them in
  March :-)

- Tim Newsham <newsham () lava net> of the The Logan Group did research
  on the extent of the problem, demonstrated real world use, and highlighted
  key threats caused therein.

- Christian "naddy" Weisgerber <naddy () mips inka de> has been talking about
  this for "years" and added AllowTcpForwarding. Thanks :-)

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan  Nov 11-12 2004  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp


-- 
- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () bugtraq org ------<) |    = |-'
  `--' `--'  `-------- Si latinam satis simiis doces, --------'  `------'
              `--- quandoque unus aliquid profundum dicet ---'
          
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: