Home page logo

bugtraq logo Bugtraq mailing list archives

More ssh fun (sshd this time)
From: ivo () ZERO XS4ALL NL (Ivo van der Wijk)
Date: Tue, 19 Aug 1997 14:34:20 +0200


I hope this hasn't been posted before, but I think it hasn't, it concerns
a bug in ssh/sshd, allowing non-root to redirect priviliged ports on, at
least, Linux, Solaris and SunOS.

I've informed my ISP's sysadmin of the LocalForward problem
(if you missed it, adding a line like

        LocalForward 80 remotehost:80

to your $HOME/.ssh/config will forward a priviliged port to a remote port,
whithout needing root).

Anyway, he fixed it, and I showed him the bug still works when using
2^16 + 80 (ie. 16 bit wrap). Make sure that if you decide not to remove
the suid-root bit like my sysadmin, but patch ssh itself, not to make this

Ok, he also fixed this problem, but then I got the idea to hack sshd using the
same trick!

On host1, you open an ssh connection to a machine running sshd where you
have a working account using -R (RemoteForward, which is somewhat the opposite
of LocalForward, but behaves the same in this case) like this:

host1$ ssh -R 65621:host1.com:80 victim.com
ivo's passord:

(in this case, 65621 is equal to 2^16+85, i.e. port 85, the other ports
were in use (by previous attempts :).

And sshd on victim.com will hapilly forward priviliged port victim.com:85
to host1.com:80!

Some remarks:

- This could also be considered a bug in bind(), because it doesn't wrap
  portnumbers > 65536, but still, it makes sshd vurnerable, at least on Linux
  (2.0.29), Solaris 2.4 and SunOs 4.1.4

- People who patched ssh or removed the suid-bit are still vurnerable, because
  this is a bug in sshd, not ssh

- You need to login on victim.com before sshd will redirect the port.

That's all,


Name:     Ivo van der Wijk    | Walk... in silence
Internet: ivo () zero xs4all nl  | Don't walk away.. in silence
URL:      none                | See the danger... always danger
IRC:      VladDrac            | Endless talking... life rebuilding
                              | Don't walk away

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]