Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] SSHD / AnonCVS Nastyness

from [Dragos Ruiu] Network Security [Permanent Link]
Subject: [VulnWatch] SSHD / AnonCVS Nastyness
Date: Wed, 1 Sep 2004 19:36:36 -0700 
SSHD / AnonCVS Port Bouncing Nastyness

Advisory URL: http://pacsec.jp/advisories.html

Summary:
--------
Sites with default SSHD configs and anonymous CVS
or other "public" access are vulnerable to port bounce attacks.

Details:
--------
SSHD defaults to AllowTcpForwarding "yes" in /etc/ssh/sshd_config.
I'm told there are some good reasons for keeping this like that.
Normally this is not an issue because you have to authenticate
and log in to enable the port forwarding.

However this allows some fairly evil port bouncing misbehaviour,
after authentication when combined with anonymous access.
This could be an issue for any site with a "well known" login
credentials like "anoncvs", or become a potential problem
for other no-shell type logins for ssh services.

The most commonly available such service is AnonCVS repositories.
(Some repositories like the OpenBSD cvs servers have been notified
and have now reconfigured their systems to avoid issues with this.)

So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".

Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.

(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)

Fix:

echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config


Systems Affected:

- All recent versions of OpenSSH that have publicly acessible connections.
- Any other SSH Daemon that supports tcp port forwarding.

Credits:

- Johan Beisser <jan@caustic.org> discovered the issue and wants
  to give shit to the people who ignored it when he mentioned it to them in
  March :-)

- Tim Newsham <newsham@lava.net> of the The Logan Group did research
  on the extent of the problem, demonstrated real world use, and highlighted
  key threats caused therein.

- Christian "naddy" Weisgerber <naddy@mips.inka.de> has been talking about
  this for "years" and added AllowTcpForwarding. Thanks :-)

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    Nov 11-12 2004  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] SSHD / AnonCVS Nastyness, Dragos Ruiu <=
Previous by Date:  [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server, SHATTER
Next by Date:  [VulnWatch] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server, SHATTER (Application Security, Inc.)
Previous by Thread:  [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server, SHATTER
Next by Thread:  [VulnWatch] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server, SHATTER (Application Security, Inc.)
Indexes:  [Date] [Thread] [Top] [All Lists]