|
|
| Summary |
|---|
| Description: | SSH forgets to check that a user is root before forwarding privileged ports as directed by the users ~/.ssh/config . This could cause a number of very serious security holes. |
| Author: | Kristof Van Damme <aeneas@sesuadra.org> |
| Compromise: | Redirect privileged ports to arbitrary ports on other (or the same) hosts. |
| Vulnerable Systems: | Anything running ssh 1.2.20 (probably earlier versions too). |
| Date: | 2 August 1997 |
| Notes: | Also note that some implementations of sshd will allow you to give a portno like 65616, which is really port 80 when the 2 byte unsigned short is wrapped around. And remember that in some cases you can fool these things by giving them a negative number, but fortunately ssh catches that (albeit probably accidentally with (port < 1024) check. |
| Details |
|---|
Date: Sat, 2 Aug 1997 16:33:51 +0200 From: Kristof Van Damme <aeneas@sesuadra.org> To: BUGTRAQ@NETSPACE.ORG Subject: SSH LocalForward Hi, I bumped into a weird 'feature' of ssh 1.2.20. When I run: ssh -L 80:remotehost:80 remotehost as a normal user I get the expected error: Privileged ports can only be forwarded by root. But when I put: LocalForward 80 remotehost:80 in my ~/.ssh/config file and connect to the remote host I don't get the error and port 80 is opened on the localhost (an httpd was not running, the port must be available). When I connect to it I get a normal redirection to remotehost:80 over the secure channel. This means however that a non-root user is able to open privileged ports on the localhost and redirect them. Is this normal? I checked it on Linux and Solaris. Aeneas ---------------------------------------------------------------------- |Kristof Van Damme | |System Administrator | |e-mail: aeneas@sesuadra.org | |voice: +32 9 3558603 | ----------------------------------------------------------------------
| More Exploits! |
|---|
| All OS's | Linux | Solaris/SunOS | Micro$oft |
| *BSD | Macintosh | AIX | IRIX |
| ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |