Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Nov 1998 00:54:18 +0400
From:      Casper <casper@acc.am>
To:        "freebsd-isp@FreeBSD.ORG" <freebsd-isp@FreeBSD.ORG>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   Again about logical bug in SSH2.0 & FBSD - patch
Message-ID:  <365B1CFA.52F840DF@acc.am>
next in thread | raw e-mail | index | archive | help 
Below is a small patch made by me. It working about one week on my home
FreeBSD 3.0 - SNAP 16.08.98 /*- really old for developer! :)-*/machine ,
and i have no problems ...
I'll try to patch sftpd as soon as possible ....
Feel free to write all messages and suggessions to nightmar@acc.am


In ssh distribution ./apps/ssh/sshchsession.c
look for lines like this ( beginning on /*line 695 of 1786 (38%),
character 21335 of 59636 (35%) */ in version 2.0.10) and apply the patch
provided :

[--cut--]
[-- original code --]
/* Get the user's shell, and the last component of it. */
shell = ssh_user_shell(session->common->user_data);
shell_no_path = strrchr(shell, '/');
if (shell_no_path)
  shell_no_path++;
else
  shell_no_path = shell;
                
/* Start the command. */
switch (op)
  {
   case SSH_SESSION_SHELL:
[-- end original code --]
[-- comment these lines -]
/*      Start the shell.  Set initial character to '-'. */
/*      buf[0] = '-';
     	strncpy(buf + 1, shell_no_path, sizeof(buf) - 1);
      	buf[sizeof(buf) - 1] = 0;*/
/* 	Execute the shell. */
/*      argv[0] = buf;
      	argv[1] = NULL;*/
/* 	print motd, if "PrintMotd yes" and it exists */
/*      if(session->common->config->print_motd)
        {
          f = fopen("/etc/motd", "r");
          if (f)
            {
              while (fgets(linebuf, sizeof(linebuf), f))
                fputs(linebuf, stdout);
              fclose(f);
            }
        }*/
      
/*  execve(shell, argv, env); */
[-- end comment these lines -]
[-- insert these lines     --]
      argv[0] = "/usr/bin/login";
      argv[1] = "-f";
      argv[2] = session->common->user;	/*-i didn't check the code that
generates this string and /usr/bin/login source, so potential
buffer 					  -overrun in login ... i hope that i'm wrong :) ... -*/
      argv[3] = NULL; 
      execve("/usr/bin/login", argv, env);
[-- end insert these lines --]
      /* Executing the shell failed. */
      perror(shell);
      exit(254);
[--cut--]


See ya !

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?365B1CFA.52F840DF>