not being released
Damien Miller
djm at mindrot.org
Wed Sep 10 09:30:23 EST 2008
On Tue, 9 Sep 2008, Kevin Deveau wrote:
> I've noticed a bug with even recent OpenSSH products, where if the
> host disconnects during a certain period of time, the connection
> becomes frozen causing possible expolit problems .
>
> For example
>
> [root at portal ~] users
> root
> [root at portal ~] uptime -u (used to show how many users the box believes is logged on)
> 2 Users
> [root at portal ~]
>
> In theory this trapped connection can and has proven to be used for
> expolits as if the correct packet is sent to the box, using gathered
> information of course. the attacker becomes assumed by the local host
> thru a remote host and appears to be authenticated allowing executions
> based on the level of permission the frozen login has
It looks likes utmp is getting out of sync when sshd exits uncleanly.
I don't think this could be used for any real attacks, certainly not
the one that I think you are describing - there is no "frozen connection",
just a missing record in utmp to indicate that a user has logged out.
-d
More information about the openssh-unix-dev
mailing list