Re: in.telnetd vulnerability??

From: Brian Hatch (focus-sun@ifokr.org)
Date: 08/04/01


Date: Fri, 3 Aug 2001 21:32:23 -0700
From: Brian Hatch <focus-sun@ifokr.org>
To: Ryan Russell <ryan@securityfocus.com>
Subject: Re: in.telnetd vulnerability??
Message-ID: <20010803213223.P31138@ifokr.org>



> I wonder how hard it would be to write a version of the SSH client named
> telnet that would try port 22 before failing to port 23, and do plain
> telnet when used on other ports (telnet mail.example.com 110). Claim it
> is the new telnet client patch. It would allow for some cleartext
> downgrade attacks, but that would at least require active monitoring and
> spoofing. If it were called by the name "ssh", very soft links, it would
> behave normally.

I did this with a simple perl script which would hit port 22
and, if available, exec ssh, else exec telnet.

But it wasn't nearly so helpful as setting up host-based
authentication between unix boxen. Once folks found out
that they could say 'ssh host' vs 'telnet host' and save
3 characters on the command line and type no password,
they were hooked. And it wasn't any less secure than all
those cleartext passwords, really.

Of course rlogin/rsh should always be linked to ssh
instead to allow it by default.

--
Brian Hatch                "Zathras understand.
   Systems and              No, Zathras not understand,
   Security Engineer        but Zathras do."
http://www.ifokr.org/bri/

Every message PGP signed