Bugtraq mailing list archives
Possible Denial of Service: SSH
From: hamors () litterbox org (Sean B. Hamor)
Date: Tue, 17 Dec 1996 22:19:56 -0500
-----BEGIN PGP SIGNED MESSAGE----- I believe I may have found a possible denial of service attack for use against SSH. The attack requires an account on the target machine. I found this using the following setup: Server: Linux litterbox 2.0.25 #5 Tue Nov 26 19:17:37 EST 1996 i486 SSH Version 1.2.17 [i486-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. Direct ethernet connection to the Internet Client: Windows 95 SSH Version 1.0 Test Copy (expires end of December) Dialup PPP connection to the Internet I have been able to recreate this twice, but don't want to continue testing because I've already lost data on my mission critical machine. >=) It seems that when my Windows 95 laptop establishes a connection to my Linux box via SSH and the PPP connection drops, all processes that were being controlled by the inbound SSH connection get zombied out. If I establish a connection and exit/drop the SSH connection, the Linux box recovers fine. This problem only occurs when the PPP connection drops. The first time this happened, I tried logging in multiple times to fix the box. Because of an unreliable phone line, the PPP connection dropped five or six times, leaving five or six zombied out sessions. "No problem," I thought. Just log back in, su to root and shutdown -r, right? Nope. How about reboot? Nope. Hrm...init 6? No beans. WTF? Just for the Hell of it...kill -9 -1. Nothing. I tried an uptime. Load average of 25. Did a who...all 9 of my previous connections were still ghosted in utmp. I fired off email to my girlfriend to tell her not to log in at console. Of course, she read the email after logging in at console. >=) She logged back out immediately. I did a ps -auxww...every single process that had been executed when she logged in at console (init 4) had been zombied out. The load was up to 31 now. My only option was to power cycle the machine when I got home from work. When I did get home and turned on the monitor, the screen was going crazy, almost like when an svgalib program bombs out or when SuperProbe decides to make your video card trip out. Anyway...I'd be interested in seeing if anyone else has had this problem (or if it's a known bug). The attack failed against a Linux 1.2.13 box running sshd 1.2.17. Finger hamors () ishiboo com /\_/\ mailto:hamors () litterbox org for PGP public key block. ( o.o ) http://www.ishiboo.com/~hamors/ alt.litterbox, The Home of TOCA > ^ < http://www.litterbox.org/~hamors/ Hi! I'm a .signature virus! Add me to your .signature and join in the fun! -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMrdi4zU6HlxZIJ+FAQEPUwf/WO/LQt7+WIOs5HX7UMf0CN97dRm+nQOE 2sukmvBCEGFzW+YTWyfDBAKVygPi87J+aFuSugV/X3Rh7O4UsXMLqLUXjtP4cYf3 jjs1Hk+xvIottPVb3Oy7EwFBuxwOKCMk0FlvQqAp+fmKZx3czghFgFqJy0Xjz34d 6TglYW/sfKeUVZ4palyJmxufaPlII9tcP/fOJu7VZQyst798ehcReT2OrMdXFPFn 1FzwE2+/BE+qkDOqZ0RbEUN3Rv3eH8Do1XizajVYcrTRq0wLu4t3SfE+XGojLaHl CLHnR4l6iVGZMMKdqbumy4sEiQqjDxXK+l25GbxlppvRP7Oa+NH6Zw== =jelt -----END PGP SIGNATURE-----
Current thread:
- Possible Denial of Service: SSH Sean B. Hamor (Dec 17)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Toomas Soome (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Sven Gestegard (Dec 18)
- Exploit for ppp bug (FreeBSD 2.1.0). Leshka Zakharoff (Dec 18)
- CIAC Bulletin H-17: cron/crontab Buffer Overrun Vulnerabilities David Crawford (Dec 19)
- NT vulnerable to attack on CPU Aleph One (Dec 19)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
(Thread continues...)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)