sshd and pop/ftponly users incorrect configuration
Markus Friedl
> >>>>> "Marc" == Marc SCHAEFER <scha...@alphanet.ch> writes:
>
> Marc> EXPLOIT Please do not request exploit from the listed
> Marc> authors. Requests for exploits will be ignored. A working
> Marc> exploit exists and has been tested on current Linux
> Marc> distributions. It is possible that an exploit be posted some
> Marc> time in the future (or that someone reads this and does it by
> Marc> himself ...).
>
> Lemme guess... I adjust my ssh client to request a local port forwarding
> as soon as possible and this way there's a race between fake shell
> (/bin/false) termination and connection establishment. And sshd waits
> for that connection to terminate. Or can I simply request a connection
> forwarding before I request a pty?
no, the race is between the fork() and the termination of the child.
port-fwding can be requested only after the 'shell' is forked.
if the 'shell' is slow you can 'exploit' this behaviour.
the recommended way to 'fix' this is to create a group and add 'DenyGroup bla'
to sshd_config or give no passwords to the users.
-markus
Gregory Steuck
Marc> EXPLOIT Please do not request exploit from the listed
Marc> authors. Requests for exploits will be ignored. A working
Marc> exploit exists and has been tested on current Linux
Marc> distributions. It is possible that an exploit be posted some
Marc> time in the future (or that someone reads this and does it by
Marc> himself ...).
Lemme guess... I adjust my ssh client to request a local port forwarding
as soon as possible and this way there's a race between fake shell
(/bin/false) termination and connection establishment. And sshd waits
for that connection to terminate. Or can I simply request a connection
forwarding before I request a pty?
Bye
Greg