> I've informed my ISP's sysadmin of the LocalForward problem
> (if you missed it, adding a line like
>
> LocalForward 80 remotehost:80
>
> to your $HOME/.ssh/config will forward a priviliged port to a remote port,
> whithout needing root).
[snip]
> Anyway, he fixed it, and I showed him the bug still works when using
> 2^16 + 80 (ie. 16 bit wrap). Make sure that if you decide not to remove
> the suid-root bit like my sysadmin, but patch ssh itself, not to make this
> mistake.
Two bugs are present, the first one does'nt check the config file for
privelged ports _at_all_ (a check is done when given on the command line),
the second one doesnt check for ports over 65535 which will wrap around.
This problem is that ssh/sshd uses an int instead of an unsigned short to do
the comparison on. So wrapping doesnt occur till its placed in the struct
sockaddr_in.
I've included patches (I'm not the author of ssh so these are completely
unoffical), hoping anyone would point out anything I might of missed
out, and ofcourse for people to use as a temporary fix till the author
releases one.
These are against 1.2.17
-- cut here
Common subdirectories: ssh-1.2.17/gmp-2.0.2-ssh-2 and ssh-fixed-1.2.17/gmp-2.0.2-ssh-2
diff -c ssh-1.2.17/newchannels.c ssh-fixed-1.2.17/newchannels.c
*** ssh-1.2.17/newchannels.c Wed Oct 30 04:27:54 1996
--- ssh-fixed-1.2.17/newchannels.c Sat Aug 23 14:19:29 1997
***************
*** 1247,1252 ****
--- 1247,1256 ----
/* Check that an unprivileged user is not trying to forward a privileged
port. */
+
+ if (port > 65535)
+ packet_disconnect("Requested port is %d is invalid",port);
+
if (port < 1024 && !is_root)
packet_disconnect("Requested forwarding of port %d but user is not root.",
port);
diff -c ssh-1.2.17/readconf.c ssh-fixed-1.2.17/readconf.c
*** ssh-1.2.17/readconf.c Wed Oct 30 04:27:53 1996
--- ssh-fixed-1.2.17/readconf.c Sat Aug 23 14:29:08 1997
***************
*** 389,394 ****
--- 389,400 ----
fatal("%.200s line %d: Badly formatted port number.",
filename, linenum);
fwd_port = atoi(cp);
+
+ if(fwd_port < 1024 && original_real_uid)
+ fatal("Port %d may only be forwarded by root.",fwd_port);
+ if(fwd_port > 65535)
+ fatal("Port %d is illegal",fwd_port);
+
cp = strtok(NULL, WHITESPACE);
if (!cp)
fatal("%.200s line %d: Missing second argument.",
***************
*** 408,413 ****
--- 414,425 ----
fatal("%.200s line %d: Badly formatted port number.",
filename, linenum);
fwd_port = atoi(cp);
+
+ if(fwd_port < 1024 && original_real_uid)
+ fatal("Port %d may only be forwarded by root.",fwd_port);
+ if(fwd_port > 65535)
+ fatal("Port %d is illegal",fwd_port);
+
cp = strtok(NULL, WHITESPACE);
if (!cp)
fatal("%.200s line %d: Missing second argument.",
diff -c ssh-1.2.17/ssh.c ssh-fixed-1.2.17/ssh.c
*** ssh-1.2.17/ssh.c Wed Oct 30 04:27:54 1996
--- ssh-fixed-1.2.17/ssh.c Sat Aug 23 14:18:59 1997
***************
*** 483,488 ****
--- 483,499 ----
usage();
/*NOTREACHED*/
}
+
+ if(fwd_port > 65535) {
+ fprintf(stderr,"Illegal port specified %d\n",fwd_port);
+ exit(1);
+ }
+ if (fwd_port < 1024 && original_real_uid != 0) {
+ fprintf(stderr,
+ "Privileged ports can only be forwarded by root.\n");
+ exit(1);
+ }
+
add_remote_forward(&options, fwd_port, buf, fwd_host_port);
break;
***************
*** 496,503 ****
}
if (fwd_port < 1024 && original_real_uid != 0)
{
! fprintf(stderr,
! "Privileged ports can only be forwarded by root.\n");
exit(1);
}
add_local_forward(&options, fwd_port, buf, fwd_host_port);
--- 507,517 ----
}
if (fwd_port < 1024 && original_real_uid != 0)
{
! if(fwd_port > 65535)
! fprintf(stderr,"Ilegal port specified %d\n",fwd_port);
! else
! fprintf(stderr,
! "Privileged ports can only be forwarded by root.\n");
exit(1);
}
add_local_forward(&options, fwd_port, buf, fwd_host_port);
Common subdirectories: ssh-1.2.17/zlib-1.0.3 and ssh-fixed-1.2.17/zlib-1.0.3
-- cut here
-------------------------------------------------------------------------------
Thamer Al-Herbish tmh@kuwait.net
UNIX Programmer Gulfnet Kuwait Floor 11, Al-Gas Tower.
Network Analyst Ahmad Al-Jabar St. Sharq, Kuwait.
-------------------------------------------------------------------------------
[ For PGP key finger shadows@kuwait.net ]
-------------------------------------------------------------------------------
Thamer Al-Herbish tmh@kuwait.net
UNIX Programmer Gulfnet Kuwait Floor 11, Al-Gas Tower.
Network Analyst Ahmad Al-Jabar St. Sharq, Kuwait.
-------------------------------------------------------------------------------
[ For PGP key finger shadows@kuwait.net ]