Re: sshd exploit?

From: Seth David Schoen (schoenat_private)
Date: Sun Sep 06 1998 - 00:06:16 PDT

Next message: Todd C. Miller: "Re: Reading read-protected devices in *BSD"

Previous message: Hubert Feyrer: "Reading read-protected devices in *BSD"
Maybe in reply to: Navindra Umanee: "sshd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Navindra Umanee writes:

> ... ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the
> fact that sshd was running as root on the server.
>
> ssh -L 1234:mailmachine:25 mailmachine sleep 100
>
> (2) then connect to localhost:1234 and send mail that appears to be
>     coming from root@mailmachine.

Indeed, this is a cute new way of forging mail and confusing the logs
somewhat.  MTA logging could probably be extended in various ways to detect
this, if it seemed necessary.

> While I realise that identd was never meant to be a proper form of
> authentication, many running rshd servers still rely on it and sshd's
> behavior may turn out to be rather problematic.
>
> For example, I don't see why one couldn't also forward rshd
> connections and hack the rlogin client to connect to arbitrary ports.
> One could then find an accessible machine with root in the .rhosts or
> hosts.equiv -- this is not as uncommon as one would think.

No matter which way you use ssh port forwarding, you will never manage to
get a privileged source port, so rshd will not trust host-based
authentication information.

ssh -L 1234:foo:513 foo sleep 100
    doesn't make the connections sshd on foo initiates to foo have a privileged
    source port, so foo's rlogind won't trust them

ssh -R 513:foo:1234 foo sleep 100
    doesn't make the connections ssh on localhost initiates to localhost have a
    privileged source port, so localhost's rlogind won't trust them

identd's confusion over ssh tunnels is problematic just for logging purposes,
but the rsh/rlogin specification does supposedly insist on privileged source
ports, with which the current ssh/sshd do the right thing.

In the current FreeBSD rshd, for instance,

                if (fromp->sin_port >= IPPORT_RESERVED ||
                    fromp->sin_port < IPPORT_RESERVED/2) {
                        syslog(LOG_NOTICE|LOG_AUTH,
                            "connection from %s on illegal port %u",
...

An rshd which takes the shortcut of relying on identd would be exploitable,
but I have never seen one.  Since identd is not running on all hosts, it is
really not advisable to rely on it in place of privileged/unprivileged port
checking.

--
   Seth David Schoen L&S '01 (undeclared) / schoenat_private
Magna dis immortalibus habenda est atque huic ipsi Iovi Statori, antiquissimo
custodi huius urbis, gratia, quod hanc tam taetram, tam horribilem tamque
infestam rei publicae pestem totiens iam effugimus.  -- Cicero, in Catilinam I

Next message: Todd C. Miller: "Re: Reading read-protected devices in *BSD"
Previous message: Hubert Feyrer: "Reading read-protected devices in *BSD"
Maybe in reply to: Navindra Umanee: "sshd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:12 PDT