SSH localforward vulnerability

Summary

Description:	SSH forgets to check that a user is root before forwarding privileged ports as directed by the users ~/.ssh/config . This could cause a number of very serious security holes.
Author:	Kristof Van Damme <aeneas@sesuadra.org>
Compromise:	Redirect privileged ports to arbitrary ports on other (or the same) hosts.
Vulnerable Systems:	Anything running ssh 1.2.20 (probably earlier versions too).
Date:	2 August 1997
Notes:	Also note that some implementations of sshd will allow you to give a portno like 65616, which is really port 80 when the 2 byte unsigned short is wrapped around. And remember that in some cases you can fool these things by giving them a negative number, but fortunately ssh catches that (albeit probably accidentally with (port < 1024) check.

Details

Date: Sat, 2 Aug 1997 16:33:51 +0200
From: Kristof Van Damme <aeneas@sesuadra.org>
To: BUGTRAQ@NETSPACE.ORG
Subject: SSH LocalForward

Hi,

I bumped into a weird 'feature' of ssh 1.2.20. When I run:

ssh -L 80:remotehost:80 remotehost

as a normal user I get the expected error:

Privileged ports can only be forwarded by root.

But when I put:

LocalForward    80      remotehost:80

in my ~/.ssh/config file and connect to the remote host I don't get the
error and port 80 is opened on the localhost (an httpd was not running,
the port must be available). When I connect to it I get a normal
redirection to remotehost:80 over the secure channel. This means however
that a non-root user is able to open privileged ports on the localhost and
redirect them. Is this normal? I checked it on Linux and Solaris.

Aeneas
----------------------------------------------------------------------
|Kristof Van Damme                                                   |
|System Administrator                                                |
|e-mail: aeneas@sesuadra.org                                         |
|voice: +32 9 3558603                                                |
----------------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: