Re: sshd exploit?

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> A long while ago, users thorns and __fox started appearing on IRC
> with root idents from machines on which they obviously did not have
> root priviledges.  It turned out that this was a side effect of ssh
> tunneling, ie. forwarding TCP/IP ports over an ssh connection, and
> the fact that sshd was running as root on the server.

> It seems to me that this could be exploitable.

Only vaguely - only to the extent that port-113 information is trusted,
which should border on "not at all", at least by the machine that
receives it.

> For example, one could:
> (1) forward a connection to the mail port on a public machine,
> (2) then connect to localhost:1234 and send mail that appears to be
>     coming from root@mailmachine.

The mail would appear to be from root@mailmachine only in the Received:
header - though admittedly that would be quite enough to be a potential
problem.

> For example, I don't see why one couldn't also forward rshd
> connections and hack the rlogin client to connect to arbitrary ports.

I believe this is not a danger.  rsh does not use the pidentd
information for its authentication; it simply believes the client,
provided it's connecting from a "secure" port (one <1024).  Since such
ports are never handed out by the kernel except on explicit request,
even when uid==0, I don't see any risk here.

Nonetheless, this behavior of sshd is a real problem; the major risk is
that it can destroy any traceability of the connections - that is,
while pidentd info is not trustable by the machine receiving it, it is
often trusted by the admin of the machine sending it.  What sshd should
do is set its ID to that of the user it's logged in as.  If it needs
privilege later, it should fork a super-user child for the purpose
before dropping privileges.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B