2

Let's be extra paranoid and assume that the SSH server my client is connected to, was "enhanced" so that every SSH client that establishes an connection with it, will be tricked into thinking that it wants to create reverse port forwarding.

This would result in the situation when the passive attacker (owner of the SSH server) would gain access to the SSH client's internal network as soon as the vulnerable client connects to it.

Is this somehow taken care of in OpenSSH? Or is it impossible by SSH design in general?

If you are interested into thinking about SSH client being vulnerable to SSH server, you may find interesting to read these Q&A:

jirislav
  • 121
  • 4
  • You're asking if OpenSSH takes care of something hypothetical. Of course it doesn't take care of that, because SSH clients do not establish establish a reverse shell when they connect in the first place. – forest Sep 27 '18 at 00:59
  • Wait, I just realized that you said "create reverse port forwarding". What does that mean? – forest Sep 27 '18 at 01:02
  • @forest reverse port forwarding is a feature where SSH client intentionally creates a "port redirect" on the SSH server to any port reachable from SSH client. It's a pretty good trick how to intentionally expose your port to the public from behind a NAT or firewall. But that doesn't have to be your localhost port, it may be any reachable port in your internal network. – jirislav Sep 27 '18 at 08:43

0 Answers0