![[LWN Logo]](/images/lwn.banner.gif)
Date: Sat, 5 Sep 1998 19:55:50 -0400
From: Navindra Umanee <navindra@CS.MCGILL.CA>
Subject: sshd exploit?
To: BUGTRAQ@NETSPACE.ORG
Montreal Sat Sep 5 19:50:56 1998
[Aleph, please do filter out this post if it is old news, irrelevant
or unsuitable in any way. I've searched the archives but haven't
seen anything related.]
A long while ago, users thorns and __fox started appearing on IRC with
root idents from machines on which they obviously did not have root
priviledges. It turned out that this was a side effect of ssh
tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the
fact that sshd was running as root on the server.
It seems to me that this could be exploitable. For example, one could:
(1) forward a connection to the mail port on a public machine,
ssh -L 1234:mailmachine:25 mailmachine sleep 100
(2) then connect to localhost:1234 and send mail that appears to be
coming from root@mailmachine.
While I realise that identd was never meant to be a proper form of
authentication, many running rshd servers still rely on it and sshd's
behavior may turn out to be rather problematic.
For example, I don't see why one couldn't also forward rshd
connections and hack the rlogin client to connect to arbitrary ports.
One could then find an accessible machine with root in the .rhosts or
hosts.equiv -- this is not as uncommon as one would think.
Navin