Bugtraq mailing list archives
More ssh fun (sshd this time)
From: ivo () ZERO XS4ALL NL (Ivo van der Wijk)
Date: Tue, 19 Aug 1997 14:34:20 +0200
Hi, I hope this hasn't been posted before, but I think it hasn't, it concerns a bug in ssh/sshd, allowing non-root to redirect priviliged ports on, at least, Linux, Solaris and SunOS. I've informed my ISP's sysadmin of the LocalForward problem (if you missed it, adding a line like LocalForward 80 remotehost:80 to your $HOME/.ssh/config will forward a priviliged port to a remote port, whithout needing root). Anyway, he fixed it, and I showed him the bug still works when using 2^16 + 80 (ie. 16 bit wrap). Make sure that if you decide not to remove the suid-root bit like my sysadmin, but patch ssh itself, not to make this mistake. Ok, he also fixed this problem, but then I got the idea to hack sshd using the same trick! On host1, you open an ssh connection to a machine running sshd where you have a working account using -R (RemoteForward, which is somewhat the opposite of LocalForward, but behaves the same in this case) like this: host1$ ssh -R 65621:host1.com:80 victim.com ivo's passord: victim$ (in this case, 65621 is equal to 2^16+85, i.e. port 85, the other ports were in use (by previous attempts :). And sshd on victim.com will hapilly forward priviliged port victim.com:85 to host1.com:80! Some remarks: - This could also be considered a bug in bind(), because it doesn't wrap portnumbers > 65536, but still, it makes sshd vurnerable, at least on Linux (2.0.29), Solaris 2.4 and SunOs 4.1.4 - People who patched ssh or removed the suid-bit are still vurnerable, because this is a bug in sshd, not ssh - You need to login on victim.com before sshd will redirect the port. That's all, Ivo -- ------------------------------------------------------------------------ Name: Ivo van der Wijk | Walk... in silence Internet: ivo () zero xs4all nl | Don't walk away.. in silence URL: none | See the danger... always danger IRC: VladDrac | Endless talking... life rebuilding | Don't walk away
Current thread:
- More ssh fun (sshd this time) Ivo van der Wijk (Aug 19)
- Re: More ssh fun (sshd this time) Olaf Titz (Aug 23)
- Sun Security Bulletin #00152 Aleph One (Aug 25)
- Sun Security Bulletin #00153 Aleph One (Aug 25)
- Active X exploit. Peter Shipley (Aug 25)
- Re: More ssh fun (sshd this time) Wietse Venema (Aug 25)
- <Possible follow-ups>
- Re: More ssh fun (sshd this time) Thamer Al-Herbish (Aug 23)
- Re: More ssh fun (sshd this time) Solar Designer (Aug 27)
- Re: More ssh fun (sshd this time) Paul H. Hargrove (Aug 27)
- Re: More ssh fun (sshd this time) Christopher Craig (Aug 27)
- Integer Overflows Solar Designer (Aug 27)