Re: the openssh exploit

To: Paul Baker <pbaker@where2getit.com>
Cc: David B Harris <eelf@sympatico.ca>, debian-security@lists.debian.org
Subject: Re: the openssh exploit
From: Anthony DeRobertis <asd@suespammers.org>
Date: Tue, 25 Jun 2002 02:40:19 -0400
Message-id: <[🔎] 6A97D8E4-8806-11D6-BA36-00039355CFA6@suespammers.org>
In-reply-to: <[🔎] 7A9C777C-87F5-11D6-8A0B-0003937562B8@where2getit.com>


On Tuesday, June 25, 2002, at 12:39 , Paul Baker wrote:

but potentially maybe someone could craft a malicious packetthat appears to come from one of the trusted ips??

SSH uses TCP, not UDP. In order for the kernel to pass any datato OpenSSH, the following must happen:


	REMOTE sends LOCAL a SYN w/ a ID number
	LOCAL sends REMOTE SYN|ACK w/ REMOTE ID number and another ID
	REMOTE sends ACK w/ LOCAL ID number

Only at the third packet is any data passed. So, there is no wayspoof an IP address with TCP unless:


	1) You are able to observe traffic passing between LOCAL and the
	   machine who's IP you just stole
	2) Source routing + trusting IP on a source-routed packet
	3) Guessable initial sequence number on LOCAL. Linux (at least
	   anything recent) does not have this problem.

Note that to do (1), you must insure that the real machine doesnot send a RST in response to the SYN|ACK. Ways to do this arenumerous; DoS attacks come to mind.


[ Also, btw, you could probably get ssh to run from inetd. Just the key
  generation overhead would kill you. ]


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: the openssh exploit
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

References:
- Re: the openssh exploit
  - From: Paul Baker <pbaker@where2getit.com>

Prev by Date: Re: the openssh exploit
Next by Date: Re: the openssh exploit
Previous by thread: Re: the openssh exploit
Next by thread: Re: the openssh exploit
Index(es):
- Date
- Thread