SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services
SecurityTracker Alert ID:  1011143
SecurityTracker URL:  http://securitytracker.com/id/1011143
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 2 2004
Impact:   Host/resource access via network
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 3.9 and prior versions
Description:   A configuration vulnerability was reported in the default configuration of OpenSSH when used with anonymous public services such as anonymous CVS. A remote user can connect to arbitrary hosts via the target service.

Dragos Ruiu reported that the 'AllowTcpForwarding' default configuration in 'sshd_config' permits TCP connection forwarding. On sites that permit anonymous users to access a service via SSH, a remote user can conduct port bouncing attacks. A remote authenticated user can cause the target server to connect to arbitrary ports on arbitrary servers. The amount of time that the port bouncing connection remains active varies, but can be long enough to permit an e-mail message to be forwarded, the report said.

If the target system resides behind a firewall, this can allow the remote user to bypass the firewall.

The original advisory is available at:

http://pacsec.jp/advisories.html

Impact:   A remote authenticated user can cause the target service to forward connections to arbitrary ports on arbitrary hosts.
Solution:   Affected sites can place the following statement in their '/etc/ssh/sshd_config' configuration file to prevent bounce attacks:

AllowTcpForwarding no

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Configuration error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 31 Aug 2004 15:38:38 -0700
Subject:  SSHD / AnonCVS Nastyness


SSHD / AnonCVS Port Bouncing Nastyness

Advisory URL: http://pacsec.jp/advisories.html

Summary:
--------
Sites with default SSHD configs and anonymous CVS
or other "public" access are vulnerable to port bounce attacks.

Details:
--------
SSHD defaults to AllowTcpForwarding "yes" in /etc/ssh/sshd_config.
I'm told there are some good reasons for keeping this like that.
Normally this is not an issue because you have to authenticate
and log in to enable the port forwarding.

However this allows some fairly evil port bouncing misbehaviour,
after authentication when combined with anonymous access.
This could be an issue for any site with a "well known" login
credentials like "anoncvs", or become a potential problem
for other no-shell type logins for ssh services.

The most commonly available such service is AnonCVS repositories.
(Some repositories like the OpenBSD cvs servers have been notified
and have now reconfigured their systems to avoid issues with this.)

So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".

Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.

(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)

So these kinds of public access systems should make sure to explicitly
override the default setting of AllowTcpForwarding to "no" in
/etc/ssh/sshd_config to avoid their system being used for arbitrary
tcp port redirection and many errr... "games".

Depending on the configuration this port bouncing can be active for
only a short period of time after initiation, or until the process
terminates, but even in the best case it can be enough time to
inject something like a mail message.

(The most evil application of this IMHO could be another vector for
anonymous spam injection. So check your code repositories now to make
sure you aren't giving spammers another toy.)

Fix:

echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config


Systems Affected:

- All recent versions of OpenSSH that have publicly acessible connections.
- Any other SSH Daemon that supports tcp port forwarding.

Credits:

- Johan Beisser <jan@caustic.org> discovered the issue and wants
  to give shit to the people who ignored it when he mentioned it to them in
  March :-)

- Tim Newsham <newsham@lava.net> of the The Logan Group did research
  on the extent of the problem, demonstrated real world use, and highlighted
  key threats caused therein.

- Christian "naddy" Weisgerber <naddy@mips.inka.de> has been talkign about
  this for "years" and added AllowTcpForwarding. Thanks :-)

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan	Nov 11-12 2004  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC