Bug#248125: sshd: processes keep alive after connection break
Package: ssh
Version: 1:3.8p1-3
Severity: critical
Hello,
sshd leaves processes alive, if a connection breaks while
authentication phase:
Initial state is:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:29 ? 00:00:00 /usr/sbin/sshd
| root@darkside:~#
Now I do:
| holbe@darkside:/home/holbe% ssh holbe@localhost
| Password:
Which results in:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| holbe 28162 1398 0 15:31 tty5 00:00:00 ssh holbe@localhost
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 sshd: holbe [net]
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| root@darkside:~#
Now I break the client with Ctrl-C:
| holbe@darkside:/home/holbe% ssh holbe@localhost
| Password:
|
| holbe@darkside:/home/holbe%
And the result is:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 [sshd] <defunct>
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| root@darkside:~#
Those processes remain running until I manually kill them.
This could very easily be exploited to a Denial-of-Service
attack against system ressources (processes). There is no
special knowledge needed about the victim system, this works
also with uids that don't exist.
That's why I set the severity to critical.
regards,
Mario
--
<jv> Oh well, config
<jv> one actually wonders what force in the universe is holding it
<jv> and makes it working
<Beeth> chances and accidents :)
Reply to: