|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: OpenSSH's UseLogin option allows remote access with root privilege.
From: Markus Friedl (markus.friedl
INFORMATIK.UNI-ERLANGEN.DE)Date: Fri Jun 09 2000 - 10:06:30 CDT
- Next message: Wojciech Purczynski: "Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5"
- Previous message: Tom Yu: "Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC"
- Next in thread: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Reply: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
OpenSSH's UseLogin option allows remote access with root privilege.
1. Systems affected:
The default installation of OpenSSH is not vulnerable, since
UseLogin defaults to 'no'. However, if UseLogin is enabled,
all versions of OpenSSH prior to 2.1.1 are affected.
2. Description:
If the UseLogin option is enabled the OpenSSH server (sshd)
does not switch to the uid of the user logging in. Instead,
sshd relies on login(1) to do the job. However, if the user
specifies a command for remote execution login(1) cannot
be used and sshd fails to set the correct user id. The
command is run with the same privilege as sshd (usually
with root privilege).
3. Impact:
If the administrator enables UseLogin users can get privileged
access to the server running sshd.
4. Short Term Solution:
Do not enable UseLogin on your machines or disable UseLogin
again in /etc/sshd_config:
UseLogin no
5. Solution:
Upgrade to OpenSSH-2.1.1 or apply the attached patch.
OpenSSH-2.1.1 is available from www.openssh.com.
Appendix:
1. OpenSSH-1.2.2
--- sshd.c.orig Thu Jan 20 18:58:39 2000
+++ sshd.c Tue Jun 6 10:12:00 2000
-2231,6 +2231,10
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
2. OpenSSH-1.2.3
--- sshd.c.orig Mon Mar 6 22:11:17 2000
+++ sshd.c Tue Jun 6 10:14:07 2000
-2250,6 +2250,10
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
3. OpenSSH-2.1.0
--- session.c.orig Wed May 3 20:03:07 2000
+++ session.c Tue Jun 6 10:10:50 2000
-744,6 +744,10
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
EOF
- Next message: Wojciech Purczynski: "Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5"
- Previous message: Tom Yu: "Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC"
- Next in thread: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Reply: Bernhard Rosenkraenzer: "Re: OpenSSH's UseLogin option allows remote access with root privilege."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]