Package: ssh Version: 1:3.8p1-3 Severity: critical Hello,
sshd leaves processes alive, if a connection breaks while authentication phase: Initial state is: | [EMAIL PROTECTED]:~# ps -ef | grep ssh | root 27981 1 0 15:29 ? 00:00:00 /usr/sbin/sshd | [EMAIL PROTECTED]:~# Now I do: | [EMAIL PROTECTED]:/home/holbe% ssh [EMAIL PROTECTED] | Password: Which results in: | [EMAIL PROTECTED]:~# ps -ef | grep ssh | root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd | holbe 28162 1398 0 15:31 tty5 00:00:00 ssh [EMAIL PROTECTED] | root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv] | sshd 28165 28163 0 15:31 ? 00:00:00 sshd: holbe [net] | root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam] | [EMAIL PROTECTED]:~# Now I break the client with Ctrl-C: | [EMAIL PROTECTED]:/home/holbe% ssh [EMAIL PROTECTED] | Password: | | [EMAIL PROTECTED]:/home/holbe% And the result is: | [EMAIL PROTECTED]:~# ps -ef | grep ssh | root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd | root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv] | sshd 28165 28163 0 15:31 ? 00:00:00 [sshd] <defunct> | root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam] | [EMAIL PROTECTED]:~# Those processes remain running until I manually kill them. This could very easily be exploited to a Denial-of-Service attack against system ressources (processes). There is no special knowledge needed about the victim system, this works also with uids that don't exist. That's why I set the severity to critical. regards, Mario -- <jv> Oh well, config <jv> one actually wonders what force in the universe is holding it <jv> and makes it working <Beeth> chances and accidents :)
