Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

potential ssh attack

From: Matt Dunn <matt () electrocentric com>
Date: Wed, 9 Jun 1999 02:49:36 -0400
I don't know if this has been previously covered in this forum or elsewhere, but I 
was having a conversation today with a couple of people here in Monterey 
(USENIX), and we came up with what could potentially be a way around a firewall 
using ssh.

Imagine a situation where you have a DMZ network partially protected by a 
firewall or router based filtering, such that a particular machine on that network is 
accessible only via ssh from the outside, yet it has other services running, 
presumably accessible by its peers on the network. This isn't necessarily a pretty 
situation, but my feeling is that it may be a reasonably common one.

Here's the problem. From any machine that can connect to the ssh port (ie. not 
tcp wrapped or what have you), it would be possible to make a connection to any 
port on the machine using ssh's port forwarding features, routing the 
authentication throught the attacker's local machine. For example:

        attacker1:#  ssh -R 345:target.machine.com:25 127.0.0.1

The only authentication that happens in this case is that the attacker's local 
machine asks her for the local account's password, which she more than likely 
already knows, and the sshd on the target machine merrily begins redirecting 
requests from this tunnel to its SMTP port, effectively opening that port to some 
other form of attack which would normally have been blocked by the now 
bypassed filtering mechanism.

Now the caveats. I have not yet been able to get this type of connection to 
actually produce a meaningful conversation on the targeted port, but since I'm 
sitting in a hotel room nowhere near my office at the moment, I'm limited in the 
manner that I can test this, and I think my communication glitch has less to do 
with anything spectacular that the firewall is doing than it does with the fairly 
heinous version conflicts I'm getting with the two copies of ssh.

Has anybody heard of this kind of bypass in practice? I'm usually the last one in 
on a joke, so don't feel bad about bursting my bubble if this is old news.

-Matt
Previous By Date Next
Previous By Thread Next

Current thread: