FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Dag-Erling Smørgrav
des at des.no
Thu Apr 17 20:08:49 UTC 2008
Matthew Seaman <m.seaman at infracaninophile.co.uk> writes:
> Hmmm... something that wasn't immediately clear to me reading the
> advisory: the requirement for an attacker to listen(2) on tcp port
> 6010 means that they have to have a login on the box being attacked.
> ie. it's a *local* information leak rather than a network attack. It
> took me some time and a few gentle thwaps with the clue stick by
> colleagues better versed in the sockets API than me before I
> understood that.
Yes, it's an interesting vulnerability. The attacker needs to be able
to execute code that listens to localhost:60XX on the server, but the
attack is directed at the client, not the server. You could say that
the workaround (on the server) is a mere courtesy to the client on the
part of the server - although of course the attacker could use this to
sniff the server's root password or hijack a root shell, so it's not
quite so clear-cut.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list