not being released

Kevin Deveau kdeveau at
Wed Sep 10 04:53:28 EST 2008

I've noticed a bug with even recent OpenSSH products, where if the host disconnects during a certain period of time, the connection becomes frozen causing possible expolit problems .

For example 

[root at portal ~] users
[root at portal ~] uptime -u (used to show how many users the box believes is logged on)
2 Users
[root at portal ~]

In theory this trapped connection can and has proven to be used for expolits as if the correct packet is sent to the box, using gathered information of course. the attacker becomes assumed by the local host thru a remote host and appears to be authenticated allowing executions based on the level of permission the frozen login has

The example of this is:
root being the frozen user, the attacker expolits the frozen connection to be assumed as them, and can execute all commands
where as

kevin being  a regular client, but also frozen (the box thinks there still connected - but they arent) the attacker can only execute commands allowed by user permissions.

The solution to the problem appears to be so far, making sure there are no frozen connections caused by SSH so u
who -a, get the pid to the frozen connection, which removes that authenticated frozen connection.

This bug has only been reproduced on the linux operating system, i havent used any other OS to test it for them.

More information about the openssh-unix-dev mailing list