[Security] SSHD locks and fills hard drive when scanned by nmap (DOS Attack) #787
Comments
manojampalam
changed the title
|
Thanks for reporting this. We'll follow up. |
|
@PillowFish - I couldn't reproduce this at my end.. I didn't see the error message in sshd.log file (error: accept: Connection reset") and the sshd.log is not growing.. I ran "nmap -sV -p 22 127.0.0.1", it ran successfully.. Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-10 15:24 Pacific Daylight Time SSHD.log29872 15:24:55:643 debug3: socket:424, io:0000025F58D72F90, fd:5 |
|
@PillowFish - Any update on this? |
|
@bagajjal is running the nmap scan against localhost really a reproduction of the author's issue, i.e. do you know the Windows 7 tcp/ip stack enough to say it should effectively have the same result as running the scan from a remote system? |
|
Sorry for the delay, |
|
@megamorf @PillowFish - FYI, I ran the command nmap only once.. |
|
Wacky, ill rerun this on my end and see if it happens again and if there is some environmental factor im missing... I to got into this odd state running nmap once, so that should have worked. |
|
Facing the same issue, file size went haywire last night. 1680 20:38:23:517 error: accept: Connection reset file size reached 50mb in less than a minute. Was also able to recreate it using nmap |
|
It would be great if you can provide us the reproduction steps.. Fyi,. We couldn't reproduce at our end |
|
OS in use: Windows Server 2016 64-Bit (VM) I also tried with a different VM (Windows Server 2008 R2) but wasn't able to replicate it. This defect doesn't show up when I see "Did not receive identification string from 127.0.0.1" in the logs |
|
@Aayush251 - Were you able to reproduce consistently on the windows server 2016 machine? |
|
Yes |
|
Any updates regarding this issue? |
|
@Aayush251 - Couldn't reproduce on windows server 2016... |
|
I am getting this also: My issue does not seem to have to be triggered by a scan or anything, it just seems to happen after a user is connected for a while. In a matter of hours it can rip through 20+GB with error: accept: Connection reset. |
|
@PillowFish, @Aayush251 , @logmein345 - I couldn't reproduce this issue.. It would be great if you can share the sshd.log (for the first 1-2 minutes so that I can dig more into this issue).. FYI, it works for me... please see this, |
|
@PillowFish, @Aayush251 , @logmein345 - is there an update on this? |
|
Is there any update on this? We are facing the same issue |
|
@jvalladaresBest - We are unable to reproduce this at our end. It would be great if you can share the sshd.log (for the first 1-2 minutes so that I can dig more into this issue).. |
|
Hi there, Log is containing millions of rows like this one:1680 20:38:23:517 error: accept: Connection resetKind Regards,JuanEl 3 de noviembre de 2017 a las 19:18 bagajjal <[email protected]> escribió:@jvalladaresBest - We are unable to reproduce this at our end. It would be great if you can share the sshd.log (for the first 1-2 minutes so that I can dig more into this issue)..—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Hello, log dump can be found here: https://pastebin.com/KJ7qicib Scanning software is Qualsys. The "connection reset" lines go on indefinitely until the drive fills up. That's all I know at the moment. |
|
@ST159357 - Please set the log level to DEBUG3, provide the sshd.log. |
|
Hi, I think I my patch is resolving this issue. Please can someone confirm it? |
This is related to the win32-OpenSSH issue #787 PowerShell/Win32-OpenSSH#787 As request, the PR has been moved here There is a bug in the Microsoft POSIX compatibility layer used to translate POSIX socket API to Windows socket API. The bug concerns the emulated function accept() (socketio_accept() in the file socketio.c), which may return an invalid socket and may lock the program in an infinite loop. A race is happening between the Windows kernel signaling a socket issue to the POSIX compatibility layer. If a connection to the ssh service is dropped before being fully handled by the POSIX compatibility layer, that layer may reach a state where the Windows kernel is aware of the dropped connection and update all the socket states of the Windows socket API. However, the POSIX compatibility layer is in the middle of the accept() function task and fails without updating the local state of the emulated POSIX socket. When the emulated accept() exits, the current socket state is not updated and the emulated select() call would carry on detecting activity (previously already detected) on the socket, triggering the same exact error in the accept() call, running then in an infinite loop. This may not happen all the time: if the Windows kernel signals the error before the compatibility POSIX layer has setup its accept() state and returned successfully, other calls such as send() and recv() will update the state of the socket and will handle the issue. However, on a loaded machine where the synchronization between the Windows socket API and the compatibility POSIX layer may be slower, the emulated accept() call may finish before being notified by the Windows kernel of a client disconnection. This may be triggered with nmap, which makes two TCP connections in a row quickly: one to detect an opened port, and a second to retrieve the ssh banner. The fix proposed is to update the emulated accept() function to modify the internal state of the compatibility POSIX layer as a regular POSIX kernel would do. I personally had this issue and this patch fixed it. Please note that we have identified other situations where it could potentially happen (in particular the socketio_setsockopt() call). But we haven't investigated this issue more deeply. Other issues such as PowerShell#414 or #606 may be related.
|
FYI changed to Debug3 and did not get any new results. I have been able to mitigate this by adding scheduled powershell task that runs every five minutes and checks for sshd.log being bigger than 25MB, and restart sshd. You have to make sure user you are running this job for is allowed to logon as batch since you will run if logon or not. You will also need to be able to store local password. I put restart outside loop because I ran into instance where disk space was filled, but log file did not show it. I restarted sshd and space was freed, so as precaution decided to put outside loop. So far has worked out as workaround, till this is solved. |
|
I have proposed a patch which resolves this issue (I tested my patch, it is working). I have been asked to provide the patch for powershell/openssh-portable instead of here, see: PowerShell/openssh-portable#252 This has been done more than one month ago... Please can you apply this patch to avoid such trivial Denial of Service.This becomes critical (my ssh servers are scanned on the internet, resulting of massive DoS, just with a simple nmap scan... Should I open a CVE for that ? |
|
@itnic - It will be part of our next release (Jan-Mid release). |
|
Fixed as part of latest release 1.0.0.0 |
"OpenSSH for Windows" version
v0.0.16.0
OpenSSH_7.5, LibreSSL 2.5.3
Server OperatingSystem
Windows 7 Professional
Client OperatingSystem
Ubuntu 14.04 (running nmap 7.50)
What is failing
The SSHD process gets stuck in an infinite loop filling the sshd.log.
Expected output
The expectation is that the service will recover from an nmap scan and continue normal operations.
Actual output
SSHD becomes unresponsive and the sshd.log file fills at an alarming rate (gigs within the hour). the log contains the same line over and over:
"33552 13:10:16:181 error: accept: Connection reset"
At this point nmap has completed its scan and no new traffic is flowing to the sshd process (confirmed by wireshark).
Turning debugging up i get an extra line in the sshd.log:
33552 13:10:16:181 debug3: accept - ERROR: async io completed with error: 10054, io:00000000004551B0
33552 13:10:16:181 error: accept: Connection reset
I can reproduce this defect with the following nmap command:
nmap TARGET -p 22 -sV
Nmap output:
Starting Nmap 7.50 ( https://nmap.org ) at 2017-06-26 13:28 EDT
Nmap scan report for TARGET (TARGET IP)
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
MAC Address: MAC
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Stopping and starting the sshd process restores sshd functionality.
The text was updated successfully, but these errors were encountered: