From owner-freebsd-security  Wed Sep 29  6:53:24 1999
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 6325F15056
	for <freebsd-security@freebsd.org>; Wed, 29 Sep 1999 06:53:16 -0700 (PDT)
	(envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA24478
	for <freebsd-security@freebsd.org>; Wed, 29 Sep 1999 06:53:16 -0700
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by point.osg.gov.bc.ca, id smtpda24476; Wed Sep 29 06:52:57 1999
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.9.3/8.9.1) id GAA31310
	for <freebsd-security@freebsd.org>; Wed, 29 Sep 1999 06:52:55 -0700 (PDT)
Message-Id: <199909291352.GAA31310@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdJ31306; Wed Sep 29 06:52:25 1999
X-Mailer: exmh version 2.0.2 2/24/98
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 3.3-RELEASE
X-Sender: cy
To: freebsd-security@freebsd.org
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 29 Sep 1999 06:52:24 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Following is a post to BUGTRAQ.  It appears that SSH under FreeBSD is 
also "vulnerable" to bind(2) following synlinks during UNIX Domain 
Socket creation.  My question is:  Is this an application bug, e.g. not 
checking for a symlink prior to creating the socket, or would this be 
an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX 
Domain Sockets?


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC            
                      "e**(i*pi)+1=0"


------- Forwarded Message

[Some header lines deleted]
Date: Mon, 27 Sep 1999 11:35:44 -0400
Reply-To: Dan Astoorian <djast@CS.TORONTO.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Dan Astoorian <djast@CS.TORONTO.EDU>
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
X-To: Marc SPARC <marc@MUCOM.CO.IL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 23 Sep 1999 22:53:16 EDT." 
              <37EAE79C.AB730A71@mucom.co.il>
Resent-To: cy
Resent-Date: Mon, 27 Sep 1999 13:19:02 -0700
Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca>

- -------_NextPart_10190
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I'm surprised that nothing further has been reported to Bugtraq about
this, but the problem appears to be that under Linux, a bind() to a
Unix-domain socket will follow a dangling symlink, whereas most other
Unixes appear to return an EADDRINUSE error.

I leave it to the standards lawyers to determine whether the failing is
in the operating system for allowing the bind() to succeed, or in SSH
for not testing whether the link exists.  My vote goes to the OS being
at fault, since it's easy enough for it to avoid following the link (and
no real practical reason why it *should* follow the link).

A trivial demo program that demonstrates the problem is attached.  (It
needs no special privileges; run it as an unprivileged user in any
writable directory.)  The program reports "okay" under Solaris 2.5.1 and
IRIX 6.5.2, "vulnerable" under RedHat 6.

- --                          People shouldn't think that it's better 
to have
Dan Astoorian               loved and lost than never loved at all.  
It's
Sysadmin, CS Lab            not, it's better to have loved and won.  All
djast@cs.toronto.edu        the other options really suck.    --Dan 
Redican
- -------_NextPart_10190
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#define FPATH "./bindlinktest"
#define LPATH "./bindlinktest0"

int main(int argc, char **argv) {
    int fd;
    struct sockaddr_un sunaddr;

    fd = socket(AF_UNIX, SOCK_STREAM, 0);
    if (fd < 0) { perror("socket");exit(1); };

    unlink(FPATH);
    if (symlink(FPATH, LPATH) < 0) {
	perror("symlink");exit(1);
    }

    memset(&sunaddr, 0, sizeof(sunaddr));
    sunaddr.sun_family = AF_UNIX;
    strncpy(sunaddr.sun_path, LPATH, sizeof(sunaddr.sun_path));
    if (bind(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
	if (errno == EADDRINUSE) {
	    printf("bind() returned EADDRINUSE; this system appears to be 
okay.\n");
	} else {
	    perror("bind");
	}
    } else {
	printf("bind() succeeded; this system appears to be vulnerable.\n");
    }

    close(fd)
    unlink(FPATH);
    unlink(LPATH);
    exit(0);
}

------- End of Forwarded Message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message