Date: Sat, 5 Sep 1998 19:55:50 -0400 From: Navindra Umanee <navindra@CS.MCGILL.CA> Subject: sshd exploit? To: BUGTRAQ@NETSPACE.ORG Montreal Sat Sep 5 19:50:56 1998 [Aleph, please do filter out this post if it is old news, irrelevant or unsuitable in any way. I've searched the archives but haven't seen anything related.] A long while ago, users thorns and __fox started appearing on IRC with root idents from machines on which they obviously did not have root priviledges. It turned out that this was a side effect of ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the fact that sshd was running as root on the server. It seems to me that this could be exploitable. For example, one could: (1) forward a connection to the mail port on a public machine, ssh -L 1234:mailmachine:25 mailmachine sleep 100 (2) then connect to localhost:1234 and send mail that appears to be coming from root@mailmachine. While I realise that identd was never meant to be a proper form of authentication, many running rshd servers still rely on it and sshd's behavior may turn out to be rather problematic. For example, I don't see why one couldn't also forward rshd connections and hack the rlogin client to connect to arbitrary ports. One could then find an accessible machine with root in the .rhosts or hosts.equiv -- this is not as uncommon as one would think. Navin