Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Apr 2008 21:52:12 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-security@freebsd.org, Ian Smith <smithi@nimnet.asn.au>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Message-ID:  <86d4oow977.fsf@ds4.des.no>
In-Reply-To: <4807423D.1090206@infracaninophile.co.uk> (Matthew Seaman's message of "Thu\, 17 Apr 2008 13\:27\:41 %2B0100")
References:  <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au> <4807423D.1090206@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman <m.seaman@infracaninophile.co.uk> writes:
> Hmmm... something that wasn't immediately clear to me reading the
> advisory: the requirement for an attacker to listen(2) on tcp port
> 6010 means that they have to have a login on the box being attacked.
> ie. it's a *local* information leak rather than a network attack.  It
> took me some time and a few gentle thwaps with the clue stick by
> colleagues better versed in the sockets API than me before I
> understood that.

Yes, it's an interesting vulnerability.  The attacker needs to be able
to execute code that listens to localhost:60XX on the server, but the
attack is directed at the client, not the server.  You could say that
the workaround (on the server) is a mere courtesy to the client on the
part of the server - although of course the attacker could use this to
sniff the server's root password or hijack a root shell, so it's not
quite so clear-cut.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86d4oow977.fsf>