Date: Thu, 17 Apr 2008 21:52:12 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-security@freebsd.org, Ian Smith <smithi@nimnet.asn.au> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh Message-ID: <86d4oow977.fsf@ds4.des.no> In-Reply-To: <4807423D.1090206@infracaninophile.co.uk> (Matthew Seaman's message of "Thu\, 17 Apr 2008 13\:27\:41 %2B0100") References: <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au> <4807423D.1090206@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman <m.seaman@infracaninophile.co.uk> writes: > Hmmm... something that wasn't immediately clear to me reading the > advisory: the requirement for an attacker to listen(2) on tcp port > 6010 means that they have to have a login on the box being attacked. > ie. it's a *local* information leak rather than a network attack. It > took me some time and a few gentle thwaps with the clue stick by > colleagues better versed in the sockets API than me before I > understood that. Yes, it's an interesting vulnerability. The attacker needs to be able to execute code that listens to localhost:60XX on the server, but the attack is directed at the client, not the server. You could say that the workaround (on the server) is a mere courtesy to the client on the part of the server - although of course the attacker could use this to sniff the server's root password or hijack a root shell, so it's not quite so clear-cut. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86d4oow977.fsf>