Bugtraq mailing list archives

ssh-proxy, a new approach to firewall software

From: mag () BUNUEL TII MATAV HU (Magosanyi Arpad)
Date: Thu, 13 Jan 2000 18:10:05 +0100


Hi!

After 3 days of furious programming, here is the half-finished code of
the ssh gateway: http://www.linux.hu/~mag/openssh.prepared.tar.gz
[No, it isn't even quarter finished, but I am forking to background again,
and have no time/whatever to end it in the foreseeable future (except
if one says "gee, it _is_ nice, here is the cash for finishing it")].

There are logically two parts of the work. Let's start with the more
boring one: I have modified a big part of the openssh code making
functions to include and use an int session parameter.
Now this parameter can be 0 or 1, but writing the necessary initialization
functions for the packet and the channel handling it is relatively 
straightforward to raise the limit to <undefined>.
Rationale: The ssh proxy needs at least two of the encrypted connections,
        because it has to talk with a client and a server in the same time.
Status: I _believe_ that this wasn't introduce a security hole, and
        possibly only minor bugs. I was modified every other line of the
        code in some sources, but the modifications were straightforward.
        I have tested it, and seems to work.
        Of course I cannot be sure that is the case.

The really interesting one is the ssh proxy (ssh-proxy.c). 
The idea is the following:
To the client it looks like an ssh daemon, but forwards anything politically
accepted to some other host, for which it looks like an ssh client.
Because the encryption, it does a "man-in-the-middle attack":
substitues every key with a fake one, etc,etc. So far it is the normal
behaviour an ssh proxy is expected to work. The design of the beast is
the interesting part:
        There is expected to be a higher level where the policy decisions
        are made: where to connect, when does the connection gets
        accepted, what are the substitue keys, etc. I think of the
        upper layer as a scheme script, part of which constitue
        the configuraion files, the other parts are the configuration
        library, which can be replaced by the admin if she knows a better.
        A bit like the state machine code of fw-1.
        Whenever the proxy gets to a state it generates an event and the
        upper layer decides on logging it, possibly aborting, and the
        parameters of the following control flow.
        The proxy knows the details of the protocol, the upper layer
        knows about the states of the protocol, and the configuration
        parts of it possibly knows only some configuration parameters.
        The communication of the proxy and the upper layer is done
        via events (the fw_event() function). Before the event the
        proxy sets variables which are the parameters of it ( with
        fw_set_option_* ). The upper layer makes decisions based
        those parameters, and other parameters set in previous events.
        The decisions are communicated either through setting variables
        or directly modifying the control flow (tipically aborting).
        The proxy reads the variables set by the upper layer (with
        fw_get_option_*), and acts accordingly.
Rationale: By my experience all firewall software have the problem
        of not giving enough chance of decision to the firewall
        administrator, and not going up enough on the OSI layer.
        The (even stateful) packet filters are by design cannot easily have
        the information needed to do real firewalling work. The proxy
        firewalls would have the chance, but (at least I) haven't seen
        one which would really pull everything which is in the
        technology. Typically they stop at IP based access control,
        user based access control where inbound authentication is
        easy enough, and some simple filtering capability. And you end
        up using just plugs for everything, which is nearly as bad as
        just having a packet filter. Maybe your vendor calls
        one particular setup of his plug as samba gateway, and if
        you not look into the insides of your firewall, you will
        think that it really parses the protocol. (Practice #1
        for script kiddies: fire a VPN through telnet port using ssh 
        and have your firewall administrator not notice it. 
        Practice #1 for firewall administrators: Make it at least
        a bit harder to do for a script kiddie with your current
        firewall software.)
        So we need something which can keep up with the kiddies at least.
        Here is it. If you like buzzwords, call it stateful proxy
        technology. Have a proxy, and if you like it, alter
        every nuance of the way it speaks the protocol.
        And (it doesn't appear in the code, because it isn't
        ready), if you need to stack in something to keep care
        of the healthy state of your data and systems (covert
        channel minimising comes to mind), just stack it in, and
        have phun.
Status:
        A serious programmer does not give out such a code. I wouldn't
        either, but I have to abort this project of mine here and
        I hope someone will find it interesting enough to keep on.
        What is written is only ssh-proxy.c and fw/fw.h . 
        It compiles cleanly to object, but you would not find
        a lib to link with, and there is no main() anywhere.
        (Yes, there is a proxy_main()).
        What is missing:
                The helper functions on the bottom, and the upper layer
                on the top:)
                Everything after we got into the server. There is no channel
                code, or main loop.
        What we have:
                Lots of memory leaks. If you give me a buck for every memory
                leak you find in the code, I will be _rich_!
                Surely other bugs. 1400 lines of C code untested
                should be a very healthy location for millions of bugs.
                If you ever have problems about your house having to many
                bugs, just untar the archive to the carpet, wait until
                the bugs run in, and put out the thing to the dust bin.

Credits:
        To the openssh team.
        To the ALF team.

-- 
GNU GPL: csak tiszta forrásból

Current thread:

Re: usual iploggers miss some variable stealth scans, (continued)
- - - Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
    - Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
    - *BSD procfs vulnerability FEAR Advisories (Jan 21)
    - Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
    - stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
    - Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
    - Administrivia Elias Levy (Jan 18)
    - Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
    - ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
    - Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
    - secure-programs howto Signal 11 (Jan 09)
    - strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
    - 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
    - NIS2k Bacano (Jan 11)
    - Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
    - Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
    - Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
    - Re: NIS2k Brad Griffin (Jan 13)

(Thread continues...)