TUCoPS :: Unix :: Various Flavours :: bt1467.txt

Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) 



----- Original Message -----
From: "Damien Miller" <djm@mindrot.org>
To: <BUGTRAQ@securityfocus.com>; <openssh-unix-dev@mindrot.org>;
<openssh-unix-announce@mindrot.org>
Sent: Tuesday, April 29, 2003 7:39 PM
Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)


> 1. Systems affected:
>
> Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
> if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
>
> Please note that the IBM-supplied OpenSSH packages[1] are
> not vulnerable.
>
> 2. Description:
>
> The default behavior of the runtime linker on AIX is to search
> the current directory for dynamic libraries before searching
> system paths. This is done regardless of the executable's
> set[ug]id status.
>
> This behavior is insecure and extremely dangerous. It allows an
> attacker to locally escalate their privilege level through the
> use of replacement libraries.
>
> Portable OpenSSH includes configure logic to override this
> broken behavior, but only for the native compiler. gcc uses a
> different command-line option (without changing the dangerous
> default behavior).
>
> 3. Impact:
>
> Privilege escalation by local users.
>
> 4. Short-term workaround:
>
> Remove any set[ug]id bits from the installed binaries,
> usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH
> may also install the 'ssh' binary as setuid.
>
> Please note that removing the setuid bit from ssh-keysign will
> disable hostbased authentication.
>
> Portable OpenSSH 3.6.1p2 uses the correct compiler flags to
> avoid the dangerous linker behavior.
>
> 5. Solution:
>
> For the problem to be solved, the AIX linker must be changed to
> only search system paths by default and never search the current
> directory or user-specified paths for set[ug]id programs.
>
> We consider this a serious flaw in IBM's linker, and urge
> them to fix it immediately.  IBM, are you listening?
>
> 6. Credits:
>
> Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
> issue to our attention. Darren Tucker <dtucker@zip.com.au>
> contributed the fix.
>
> [1] http://oss.software.ibm.com/developerworks/projects/opensshi
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH