Possible Denial of Service: SSH

[hamors () litterbox org (Sean B. Hamor)]

-----BEGIN PGP SIGNED MESSAGE-----


I believe I may have found a possible denial of service attack for use
against SSH.  The attack requires an account on the target machine.  I found
this using the following setup:

Server:

Linux litterbox 2.0.25 #5 Tue Nov 26 19:17:37 EST 1996 i486
SSH Version 1.2.17 [i486-unknown-linux], protocol version 1.5.
Standard version.  Does not use RSAREF.
Direct ethernet connection to the Internet

Client:

Windows 95
SSH Version 1.0 Test Copy (expires end of December)
Dialup PPP connection to the Internet

I have been able to recreate this twice, but don't want to continue testing
because I've already lost data on my mission critical machine.  >=)

It seems that when my Windows 95 laptop establishes a connection to my Linux
box via SSH and the PPP connection drops, all processes that were being
controlled by the inbound SSH connection get zombied out.  If I establish a
connection and exit/drop the SSH connection, the Linux box recovers fine.
This problem only occurs when the PPP connection drops.

The first time this happened, I tried logging in multiple times to fix the
box.  Because of an unreliable phone line, the PPP connection dropped five
or six times, leaving five or six zombied out sessions.

"No problem," I thought.  Just log back in, su to root and shutdown -r,
right?  Nope.  How about reboot?  Nope.  Hrm...init 6?  No beans.  WTF?
Just for the Hell of it...kill -9 -1.  Nothing.  I tried an uptime.  Load
average of 25.  Did a who...all 9 of my previous connections were still
ghosted in utmp.

I fired off email to my girlfriend to tell her not to log in at console.  Of
course, she read the email after logging in at console.  >=)  She logged
back out immediately.  I did a ps -auxww...every single process that had
been executed when she logged in at console (init 4) had been zombied out.
The load was up to 31 now.

My only option was to power cycle the machine when I got home from work.
When I did get home and turned on the monitor, the screen was going crazy,
almost like when an svgalib program bombs out or when SuperProbe decides to
make your video card trip out.

Anyway...I'd be interested in seeing if anyone else has had this problem (or
if it's a known bug).  The attack failed against a Linux 1.2.13 box running
sshd 1.2.17.

Finger hamors () ishiboo com           /\_/\          mailto:hamors () litterbox org
for PGP public key block.          ( o.o )     http://www.ishiboo.com/~hamors/
alt.litterbox, The Home of TOCA     > ^ <    http://www.litterbox.org/~hamors/
 Hi!  I'm a .signature virus!  Add me to your .signature and join in the fun!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBMrdi4zU6HlxZIJ+FAQEPUwf/WO/LQt7+WIOs5HX7UMf0CN97dRm+nQOE
2sukmvBCEGFzW+YTWyfDBAKVygPi87J+aFuSugV/X3Rh7O4UsXMLqLUXjtP4cYf3
jjs1Hk+xvIottPVb3Oy7EwFBuxwOKCMk0FlvQqAp+fmKZx3czghFgFqJy0Xjz34d
6TglYW/sfKeUVZ4palyJmxufaPlII9tcP/fOJu7VZQyst798ehcReT2OrMdXFPFn
1FzwE2+/BE+qkDOqZ0RbEUN3Rv3eH8Do1XizajVYcrTRq0wLu4t3SfE+XGojLaHl
CLHnR4l6iVGZMMKdqbumy4sEiQqjDxXK+l25GbxlppvRP7Oa+NH6Zw==
=jelt
-----END PGP SIGNATURE-----