Date: Tue, 31 Aug 2004 15:38:38 -0700
From: Dragos Ruiu <[email protected]>
To: [email protected]Subject: SSHD / AnonCVS Nastyness
SSHD / AnonCVS Port Bouncing Nastyness
Advisory URL: http://pacsec.jp/advisories.html
Summary:
--------
Sites with default SSHD configs and anonymous CVS
or other "public" access are vulnerable to port bounce attacks.
Details:
--------
SSHD defaults to AllowTcpForwarding "yes" in /etc/ssh/sshd_config.
I'm told there are some good reasons for keeping this like that.
Normally this is not an issue because you have to authenticate
and log in to enable the port forwarding.
However this allows some fairly evil port bouncing misbehaviour,
after authentication when combined with anonymous access.
This could be an issue for any site with a "well known" login
credentials like "anoncvs", or become a potential problem
for other no-shell type logins for ssh services.
The most commonly available such service is AnonCVS repositories.
(Some repositories like the OpenBSD cvs servers have been notified
and have now reconfigured their systems to avoid issues with this.)
So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".
Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.
(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)
So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".
Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.
(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)
Fix:
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
Systems Affected:
- All recent versions of OpenSSH that have publicly acessible connections.
- Any other SSH Daemon that supports tcp port forwarding.
Credits:
- Johan Beisser <[email protected]> discovered the issue and wants
to give shit to the people who ignored it when he mentioned it to them in
March :-)
- Tim Newsham <[email protected]> of the The Logan Group did research
on the extent of the problem, demonstrated real world use, and highlighted
key threats caused therein.
- Christian "naddy" Weisgerber <[email protected]> has been talkign about
this for "years" and added AllowTcpForwarding. Thanks :-)
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan Nov 11-12 2004 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp