Matt Zimmerman wrote:
>
> On Thu, Jan 11, 2001 at 01:42:52AM +0200, Ari Saastamoinen wrote:
>
> > On Wed, 10 Jan 2001, Pedro Margate wrote:
> >
> > > install the ssh binary as suid root by default. This can be disabled
> > > during configuration or after the fact with chmod. I believe that would
> >
> > That exploit can use any suid root program which resolves host names. (For
> > example ping and traceroute) So you cannot fix that glibc explot only by
> > unsetting SUID bit of ssh client.
>
> Or more properly, an suid root program which resolves host names _while still
> holding root privileges_. ping from netkit and traceroute from LBNL do not
> fall into this category. fping from SATAN, however, does.
>

As does OpenSSH, somthing that my patch (attached) fixes. The patch is
for OpenSSH 2.3.0p1. Special thanks to Markus Friedl
(Markus.Friedlinformatik.uni-erlangen.de) for his help/comments on the
patches. Tested on RedHat 7.0.

> --
> - mdz
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature

--
Andrew Bartlett
abartletpcug.org.au

--- ssh.orig Sat Jan 13 12:51:42 2001 +++ ssh.c Sat Jan 13 12:52:02 2001 -611,12 +611,10 rsh_connect(host, options.user, &command); fatal("rsh_connect returned"); } - /* Restore our superuser privileges. */ - restore_uid();

/* - * Open a connection to the remote host. This needs root privileges - * if rhosts_{rsa_}authentication is enabled. + * Open a connection to the remote host. This regains + * root privilages as required. */

ok = ssh_connect(host, &hostaddr, options.port, -625,6 +623,9 !options.rhosts_rsa_authentication, original_real_uid, options.proxy_command); + + /* Restore our superuser privileges. */ + restore_uid();

/* * If we successfully made the connection, load the host private key

--- sshconnect.orig Sat Jan 13 12:51:49 2001 +++ sshconnect.c Sat Jan 13 12:52:01 2001 -96,6 +96,7 char *argv[10];

/* Child. Permanently give up superuser privileges. */ + restore_uid(); permanently_set_uid(original_real_uid);

/* Redirect stdin and stdout. */ -155,21 +156,22 */ if (privileged) { int p = IPPORT_RESERVED - 1; + /* Restore our superuser privileges. */ + restore_uid(); sock = rresvport_af(&p, family); + /* Back to normal user. */ + temporarily_use_uid(original_real_uid); if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else debug("Allocated local port %d.", p); } else { /* - * Just create an ordinary socket on arbitrary port. We use - * the user's uid to create the socket. + * Just create an ordinary socket on arbitrary port. */ - temporarily_use_uid(original_real_uid); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); - restore_uid(); } return sock; } -248,11 +250,7

/* Create a socket for connecting. */ sock = ssh_create_socket(original_real_uid, -#ifdef HAVE_CYGWIN !anonymous && port < IPPORT_RESERVED, -#else - !anonymous && geteuid() == 0 && port < IPPORT_RESERVED, -#endif ai->ai_family); if (sock < 0) continue; -261,15 +259,12 * hope that it will help with tcp_wrappers showing * the remote uid as root. */ - temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); - restore_uid(); break; } else { debug("connect: %.100s", strerror(errno)); - restore_uid(); /* * Close the failed socket; there appear to * be some problems when reusing a socket for

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]