From owner-freebsd-security Thu Sep 30 4: 4:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from freja.webgiro.com (freja.webgiro.com [212.209.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 32DCB159BB for ; Thu, 30 Sep 1999 04:04:45 -0700 (PDT) (envelope-from abial@webgiro.com) Received: by freja.webgiro.com (Postfix, from userid 1001) id 068A11925; Thu, 30 Sep 1999 13:04:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by freja.webgiro.com (Postfix) with ESMTP id 023A049D8 for ; Thu, 30 Sep 1999 13:04:48 +0200 (CEST) Date: Thu, 30 Sep 1999 13:04:48 +0200 (CEST) From: Andrzej Bialecki To: security@freebsd.org Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY=-----_NextPart_10190 Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. -------_NextPart_10190 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Hi, Seen on Bugtraq... The other postings mention FreeBSD 3.3 as vulnerable. Andrzej Bialecki // WebGiro AB, Sweden (http://www.webgiro.com) // ------------------------------------------------------------------- // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ---- ---------- Forwarded message ---------- Date: Mon, 27 Sep 1999 11:35:44 -0400 From: Dan Astoorian To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] I'm surprised that nothing further has been reported to Bugtraq about this, but the problem appears to be that under Linux, a bind() to a Unix-domain socket will follow a dangling symlink, whereas most other Unixes appear to return an EADDRINUSE error. I leave it to the standards lawyers to determine whether the failing is in the operating system for allowing the bind() to succeed, or in SSH for not testing whether the link exists. My vote goes to the OS being at fault, since it's easy enough for it to avoid following the link (and no real practical reason why it *should* follow the link). A trivial demo program that demonstrates the problem is attached. (It needs no special privileges; run it as an unprivileged user in any writable directory.) The program reports "okay" under Solaris 2.5.1 and IRIX 6.5.2, "vulnerable" under RedHat 6. -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's Sysadmin, CS Lab not, it's better to have loved and won. All djast@cs.toronto.edu the other options really suck. --Dan Redican -------_NextPart_10190 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Description: #include #include #include #include #include #define FPATH "./bindlinktest" #define LPATH "./bindlinktest0" int main(int argc, char **argv) { int fd; struct sockaddr_un sunaddr; fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd < 0) { perror("socket");exit(1); }; unlink(FPATH); if (symlink(FPATH, LPATH) < 0) { perror("symlink");exit(1); } memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strncpy(sunaddr.sun_path, LPATH, sizeof(sunaddr.sun_path)); if (bind(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { if (errno == EADDRINUSE) { printf("bind() returned EADDRINUSE; this system appears to be okay.\n"); } else { perror("bind"); } } else { printf("bind() succeeded; this system appears to be vulnerable.\n"); } close(fd) unlink(FPATH); unlink(LPATH); exit(0); } -------_NextPart_10190-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message