[7898] in bugtraq
Re: sshd exploit?
daemon@ATHENA.MIT.EDU (Seth David Schoen)
Sun Sep 6 13:33:33 1998
Mail-Followup-To: BUGTRAQ@netspace.org
Date: Sun, 6 Sep 1998 00:06:16 -0700
Reply-To: Seth David Schoen <schoen@UCLINK4.BERKELEY.EDU>
From: Seth David Schoen <schoen@UCLINK4.BERKELEY.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980905195550.58793@cs.mcgill.ca>; from Navindra Umanee on Sat,
Sep 05, 1998 at 07:55:50PM -0400
Navindra Umanee writes:
> ... ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the
> fact that sshd was running as root on the server.
>
> ssh -L 1234:mailmachine:25 mailmachine sleep 100
>
> (2) then connect to localhost:1234 and send mail that appears to be
> coming from root@mailmachine.
Indeed, this is a cute new way of forging mail and confusing the logs
somewhat. MTA logging could probably be extended in various ways to detect
this, if it seemed necessary.
> While I realise that identd was never meant to be a proper form of
> authentication, many running rshd servers still rely on it and sshd's
> behavior may turn out to be rather problematic.
>
> For example, I don't see why one couldn't also forward rshd
> connections and hack the rlogin client to connect to arbitrary ports.
> One could then find an accessible machine with root in the .rhosts or
> hosts.equiv -- this is not as uncommon as one would think.
No matter which way you use ssh port forwarding, you will never manage to
get a privileged source port, so rshd will not trust host-based
authentication information.
ssh -L 1234:foo:513 foo sleep 100
doesn't make the connections sshd on foo initiates to foo have a privileged
source port, so foo's rlogind won't trust them
ssh -R 513:foo:1234 foo sleep 100
doesn't make the connections ssh on localhost initiates to localhost have a
privileged source port, so localhost's rlogind won't trust them
identd's confusion over ssh tunnels is problematic just for logging purposes,
but the rsh/rlogin specification does supposedly insist on privileged source
ports, with which the current ssh/sshd do the right thing.
In the current FreeBSD rshd, for instance,
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"connection from %s on illegal port %u",
...
An rshd which takes the shortcut of relying on identd would be exploitable,
but I have never seen one. Since identd is not running on all hosts, it is
really not advisable to rely on it in place of privileged/unprivileged port
checking.
--
Seth David Schoen L&S '01 (undeclared) / schoen@uclink4.berkeley.edu
Magna dis immortalibus habenda est atque huic ipsi Iovi Statori, antiquissimo
custodi huius urbis, gratia, quod hanc tam taetram, tam horribilem tamque
infestam rei publicae pestem totiens iam effugimus. -- Cicero, in Catilinam I
