[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: the openssh exploit

On Tuesday, June 25, 2002, at 12:39 , Paul Baker wrote:

but potentially maybe someone could craft a malicious packet that appears to come from one of the trusted ips??

SSH uses TCP, not UDP. In order for the kernel to pass any data to OpenSSH, the following must happen:

	REMOTE sends LOCAL a SYN w/ a ID number
	LOCAL sends REMOTE SYN|ACK w/ REMOTE ID number and another ID
	REMOTE sends ACK w/ LOCAL ID number

Only at the third packet is any data passed. So, there is no way spoof an IP address with TCP unless:

	1) You are able to observe traffic passing between LOCAL and the
	   machine who's IP you just stole
	2) Source routing + trusting IP on a source-routed packet
	3) Guessable initial sequence number on LOCAL. Linux (at least
	   anything recent) does not have this problem.

Note that to do (1), you must insure that the real machine does not send a RST in response to the SYN|ACK. Ways to do this are numerous; DoS attacks come to mind.

[ Also, btw, you could probably get ssh to run from inetd. Just the key
  generation overhead would kill you. ]

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: