[Gllug] ssh brute force attacks
Robert McKay
robert at mckay.com
Mon Dec 8 23:54:23 UTC 2008
On Mon, Dec 8, 2008 at 11:25 PM, Bruce Richardson <itsbruce at workshy.org> wrote:
> On Mon, Dec 08, 2008 at 08:49:20PM +0000, Robert wrote:
>> Originally I had it so that the cgi used nc to connect to the normal
>> sshd running on port 22 (which I then firewalled off from non-local
>> accses) but it has recently been pointed out to me that you can just
>> invoke sshd -i directly from the cgi:
>> http://wari.mckay.com/~rm/proxy2ssh/sshd.sh.txt.
>>
>> (Requires the following sudoers entry to let the cgi invoke sshd as root)
>> Cmnd_Alias SSHD = /usr/sbin/sshd
>> www-data ALL = NOPASSWD: SSHD
>
> What that does is give the www-data account, which should ideally have
> minimal privileges considering how much of a target webservers are, the
> ability to run sshd with absolutely any parameters; somebody who
> compromised the www-data account or the web server could run sshd with
> the -f parameter pointing to a config file that they have
> uploaded/created. That means they could jump from a webserver exploit
> to running sshd with no password controls. That's some privilege
> escalation.
Hrm yes. Doh! Thanks for pointing that out.
Rob
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list