From owner-freebsd-security  Tue Jul 21 02:36:51 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA16248
          for freebsd-security-outgoing; Tue, 21 Jul 1998 02:36:51 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from Tyr.office.EFN.org (root@[204.214.99.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA16242
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 02:36:49 -0700 (PDT)
          (envelope-from spy@tyr.office.efn.org)
Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45])
	by Tyr.office.EFN.org (8.9.0/8.9.0) with SMTP id CAA10083;
	Tue, 21 Jul 1998 02:36:15 -0700 (PDT)
Date: Tue, 21 Jul 1998 02:36:14 -0700 (PDT)
From: Ben <spy@tyr.office.efn.org>
Reply-To: ben@efn.org
To: Jay Tribick <netadmin@fastnet.co.uk>
cc: security@FreeBSD.ORG
Subject: ssh vsprintf (was the lame whoose-language is better war)
In-Reply-To: <Pine.BSF.3.96.980721100246.5652P-100000@bofh.fast.net.uk>
Message-ID: <Pine.BSF.3.96.980721022531.8264B-100000@Tyr.office.EFN.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Jul 1998, Jay Tribick wrote:
> 
> I haven't had chance to look at the ssh code but why would it
> need to use vsprintf?? And also, why is it installed suid root?

from the configure --help for ssh-1.2.26
  --enable-suid-ssh       Install ssh as suid root (default)
  --disable-suid-ssh      Install ssh without suid bit
from the INSTALL that has come with every version of ssh.

CLIENT SUID ROOT, SERVER RUN AS ROOT

This package installs two programs that need special privileges.  Ssh
is the client program, and it is by default installed as suid root,
because it needs to create a privileged port in order to use .rhosts
files for authentication.  If it is not installed as suid root, it will
still be usable, but .rhosts authentication will not be available.  Also, the
private host key file is readable by root only.

>Mind you, none of these take input from STDIN or any other
>means so it would probably be a lot harder to exploit.

On the contrary, if you glance through the ssh code for vsprintf it comes up
in the sshd and ssh packet creation code, as well as scp.c.  Both of which do
take input from just about anything, including of course stdin.

from packet.c
This file contains code implementing the packet protocol and communication
with the other side.  This same code is used both on client and server side.
...
void packet_send_debug(const char *fmt, ...)
{
  char buf[1024];
...
  va_start(args, fmt);
  vsprintf(buf, fmt, args);

> 
> Regards,
> 
> Jay Tribick

	-ben@efn.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message