I hope this hasn't been posted before, but I think it hasn't, it concerns
a bug in ssh/sshd, allowing non-root to redirect priviliged ports on, at
least, Linux, Solaris and SunOS.
I've informed my ISP's sysadmin of the LocalForward problem
(if you missed it, adding a line like
LocalForward 80 remotehost:80
to your $HOME/.ssh/config will forward a priviliged port to a remote port,
whithout needing root).
Anyway, he fixed it, and I showed him the bug still works when using
2^16 + 80 (ie. 16 bit wrap). Make sure that if you decide not to remove
the suid-root bit like my sysadmin, but patch ssh itself, not to make this
mistake.
Ok, he also fixed this problem, but then I got the idea to hack sshd using the
same trick!
On host1, you open an ssh connection to a machine running sshd where you
have a working account using -R (RemoteForward, which is somewhat the opposite
of LocalForward, but behaves the same in this case) like this:
host1$ ssh -R 65621:host1.com:80 victim.com
ivo's passord:
victim$
(in this case, 65621 is equal to 2^16+85, i.e. port 85, the other ports
were in use (by previous attempts :).
And sshd on victim.com will hapilly forward priviliged port victim.com:85
to host1.com:80!
Some remarks:
- This could also be considered a bug in bind(), because it doesn't wrap
portnumbers > 65536, but still, it makes sshd vurnerable, at least on Linux
(2.0.29), Solaris 2.4 and SunOs 4.1.4
- People who patched ssh or removed the suid-bit are still vurnerable, because
this is a bug in sshd, not ssh
- You need to login on victim.com before sshd will redirect the port.
That's all,
Ivo
--
------------------------------------------------------------------------
Name: Ivo van der Wijk | Walk... in silence
Internet: ivo@zero.xs4all.nl | Don't walk away.. in silence
URL: none | See the danger... always danger
IRC: VladDrac | Endless talking... life rebuilding
| Don't walk away