From owner-freebsd-security  Tue Jul 21 02:42:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA17199
          for freebsd-security-outgoing; Tue, 21 Jul 1998 02:42:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17183
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 02:42:41 -0700 (PDT)
          (envelope-from netadmin@fastnet.co.uk)
Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA05889;
	Tue, 21 Jul 1998 10:42:21 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id KAA28221;
	Tue, 21 Jul 1998 10:42:22 +0100 (BST)
Date: Tue, 21 Jul 1998 10:42:22 +0100 (BST)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: ben@efn.org
cc: security@FreeBSD.ORG
Subject: Re: Ssh vsprintf (was the lame whoose-language is better war)
In-Reply-To: <Pine.BSF.3.96.980721022531.8264B-100000@Tyr.office.EFN.org>
Message-ID: <Pine.BSF.3.96.980721104018.5652S-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| > I haven't had chance to look at the ssh code but why would it
| > need to use vsprintf?? And also, why is it installed suid root?
| 
| This package installs two programs that need special privileges.  Ssh
| is the client program, and it is by default installed as suid root,
| because it needs to create a privileged port in order to use .rhosts
| files for authentication.  If it is not installed as suid root, it will
| still be usable, but .rhosts authentication will not be available.  Also, the
| private host key file is readable by root only.

Hmm.. Just OOI why would it need to be suid root to read the .rhosts
file? Surely there's a better solution, maybe installing it sgid
within it's own group?

| >Mind you, none of these take input from STDIN or any other
| >means so it would probably be a lot harder to exploit.
| 
| On the contrary, if you glance through the ssh code for vsprintf it comes up
| in the sshd and ssh packet creation code, as well as scp.c.  Both of which do
| take input from just about anything, including of course stdin.

I stand corrected - I haven't had chance to look at the source code
yet. Has anyone done an audit on it?

Regards,

Jay Tribick

[| Network Administrator | FastNet International | http://fast.net.uk/ |]
[|        Finger netadmin@fastnet.co.uk for contact information        |]
[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message