[Gllug] ssh brute force attacks
Bruce Richardson
itsbruce at workshy.org
Mon Dec 8 23:25:04 UTC 2008
On Mon, Dec 08, 2008 at 08:49:20PM +0000, Robert wrote:
> Originally I had it so that the cgi used nc to connect to the normal
> sshd running on port 22 (which I then firewalled off from non-local
> accses) but it has recently been pointed out to me that you can just
> invoke sshd -i directly from the cgi:
> http://wari.mckay.com/~rm/proxy2ssh/sshd.sh.txt.
>
> (Requires the following sudoers entry to let the cgi invoke sshd as root)
> Cmnd_Alias SSHD = /usr/sbin/sshd
> www-data ALL = NOPASSWD: SSHD
What that does is give the www-data account, which should ideally have
minimal privileges considering how much of a target webservers are, the
ability to run sshd with absolutely any parameters; somebody who
compromised the www-data account or the web server could run sshd with
the -f parameter pointing to a config file that they have
uploaded/created. That means they could jump from a webserver exploit
to running sshd with no password controls. That's some privilege
escalation.
You can make that safer by changing the command alias to
Cmnd_Alias SSHD = /usr/sbin/sshd -i
which means that it can only be run with that particular parameter and
no others.
--
Bruce
I object to intellect without discipline. I object to power without
constructive purpose. -- Spock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20081208/dae6be4b/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list