| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060310072030.GH24032@ucc.gu.uwa.edu.au> Date: Fri, 10 Mar 2006 15:20:31 +0800 From: Matt Johnston <matt@....asn.au> To: Pablo Fernandez <pablo@...tleQ.net> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Dropbear SSH server Denial of Service On Tue, Mar 07, 2006 at 07:47:57PM +0000, Pablo Fernandez wrote: > Dropbear SSH server Denial of Service > The vulnerability specifically exists due to a design error in the > authorization-pending connections code. By default and as a #define of > the MAX_UNAUTH_CLIENTS constant, the SSH server allows 30 > authorization-pending connections, after connection 31, incoming sockets > are close()d immediatly. > Remote attack of this vulnerability is trivial. This is specially > problematic if the administrator can't login due to the attack and can't > at least blacklist the attacker, restart the service or undertake other > actions. > All versions (up to and including current 0.47 version) are vulnerable. Dropbear 0.48 mitigates this issue by having a per-IP limit as well as a global limit - this will at least prevent an IP-deprived attacker from denying service. It's worth noting that various other network services (such as netkit-inetd and OpenSSH) have the same design issues, at least in default configurations. Matt Johnston Dropbear developer http://matt.ucc.asn.au/dropbear/dropbear.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists