Re: the openssh exploit
On Tuesday, June 25, 2002, at 12:39 , Paul Baker wrote:
but potentially maybe someone could craft a malicious packet
that appears to come from one of the trusted ips??
SSH uses TCP, not UDP. In order for the kernel to pass any data
to OpenSSH, the following must happen:
REMOTE sends LOCAL a SYN w/ a ID number
LOCAL sends REMOTE SYN|ACK w/ REMOTE ID number and another ID
REMOTE sends ACK w/ LOCAL ID number
Only at the third packet is any data passed. So, there is no way
spoof an IP address with TCP unless:
1) You are able to observe traffic passing between LOCAL and the
machine who's IP you just stole
2) Source routing + trusting IP on a source-routed packet
3) Guessable initial sequence number on LOCAL. Linux (at least
anything recent) does not have this problem.
Note that to do (1), you must insure that the real machine does
not send a RST in response to the SYN|ACK. Ways to do this are
numerous; DoS attacks come to mind.
[ Also, btw, you could probably get ssh to run from inetd. Just the key
generation overhead would kill you. ]
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: