OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Przemyslaw Frasunek (venglinfreebsd.lublin.pl)
Date: Thu Sep 20 2001 - 14:48:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    OpenSSH derived with FreeBSD 4.4 (and earlier) doesn't drop privileges
    before messing with login class capability database. The most problematic
    is:

            if (newcommand == NULL && !quiet_login && !options.use_login) {
                    fname = login_getcapstr(lc, "copyright", NULL, NULL);
                    if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
                            while (fgets(buf, sizeof(buf), f) != NULL)
                                    fputs(buf, stdout);
                                    fclose(f);

    and

                    f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
                        "/etc/motd"), "r");
    [...]
                            while (fgets(buf, sizeof(buf), f))
                                    fputs(buf, stdout);
                            fclose(f);

    in session.c, which allows to read ANY file in system with superuser
    privileges, by defining:

    default:\
     :copyright=/etc/master.passwd:

    or

     :welcome=/etc/master.passwd:

    in user's ~/.login_conf.

    login(1), which is suid and spawned by telnetd also is vulnerable to similar
    attack:

            if (!rootlogin)
                    auth_checknologin(lc);
    [...]
            (void)setegid(pwd->pw_gid);
            (void)seteuid(rootlogin ? 0 : pwd->pw_uid);

    Checking for nologin is performed with superuser privileges.
    auth_checklogin() is libutil function which displays nologin file, as
    defined in login capability database. User can read ANY file in system by
    defining:

    default:\
     :nologin=/etc/master.passwd:

    FreeBSD core team has been aleady informed and official patches were
    incorporated into CVS repository *before* 4.4-RELEASE, although 4.4-RC and
    earlier verions are vulnerable and needs to be patched with:

    http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libutil/login_cap.c
    ?rev=1.17.2.3&content-type=text/plain

    Official advisory is pending. It's possible, that other *BSD systems,
    supporting login capability database are also vulnerable.

    --
    * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
    * Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *