Firewall Wizards mailing list archives
potential ssh attack
From: Matt Dunn <matt () electrocentric com>
Date: Wed, 9 Jun 1999 02:49:36 -0400
I don't know if this has been previously covered in this forum or elsewhere, but I was having a conversation today with a couple of people here in Monterey (USENIX), and we came up with what could potentially be a way around a firewall using ssh. Imagine a situation where you have a DMZ network partially protected by a firewall or router based filtering, such that a particular machine on that network is accessible only via ssh from the outside, yet it has other services running, presumably accessible by its peers on the network. This isn't necessarily a pretty situation, but my feeling is that it may be a reasonably common one. Here's the problem. From any machine that can connect to the ssh port (ie. not tcp wrapped or what have you), it would be possible to make a connection to any port on the machine using ssh's port forwarding features, routing the authentication throught the attacker's local machine. For example: attacker1:# ssh -R 345:target.machine.com:25 127.0.0.1 The only authentication that happens in this case is that the attacker's local machine asks her for the local account's password, which she more than likely already knows, and the sshd on the target machine merrily begins redirecting requests from this tunnel to its SMTP port, effectively opening that port to some other form of attack which would normally have been blocked by the now bypassed filtering mechanism. Now the caveats. I have not yet been able to get this type of connection to actually produce a meaningful conversation on the targeted port, but since I'm sitting in a hotel room nowhere near my office at the moment, I'm limited in the manner that I can test this, and I think my communication glitch has less to do with anything spectacular that the firewall is doing than it does with the fairly heinous version conflicts I'm getting with the two copies of ssh. Has anybody heard of this kind of bypass in practice? I'm usually the last one in on a joke, so don't feel bad about bursting my bubble if this is old news. -Matt
Current thread:
- potential ssh attack Matt Dunn (Jun 14)
- Re: potential ssh attack Michael Barkett (Jun 15)
- Re: potential ssh attack Ge' Weijers (Jun 15)
- <Possible follow-ups>
- Re: potential ssh attack Barney Wolff (Jun 15)