From owner-freebsd-security  Fri Sep 21  6:52:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ds.express.ru (ds.express.ru [212.24.32.7])
	by hub.freebsd.org (Postfix) with ESMTP id F20DB37B41C
	for <FreeBSD-Security@freebsd.org>; Fri, 21 Sep 2001 06:52:29 -0700 (PDT)
Received: from localhost.express.ru ([127.0.0.1] helo=localhost)
	by ds.express.ru with esmtp (Exim 2.12 #8)
	id 15kQjE-000C1U-00
	for FreeBSD-Security@FreeBSD.ORG; Fri, 21 Sep 2001 17:52:28 +0400
Date: Fri, 21 Sep 2001 17:52:28 +0400 (MSD)
From: Maxim Kozin <madmax@express.ru>
To: FreeBSD-Security@FreeBSD.ORG
Subject: Re: login_conf vulnerability.
In-Reply-To: <20010921173502.A62350@nagual.pp.ru>
Message-ID: <Pine.BSF.4.05.10109211744260.6837-100000@ds.express.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 21 Sep 2001, Andrey A. Chernov wrote:

> On Fri, Sep 21, 2001 at 14:19:37 +0100, Marc Rogers wrote:
> 
> > >  :copyright=/etc/master.passwd:
> 
> It is SSH+LOGIN_CAP integration bug. SSH should call setusercontext() 
> before accessing "copyright" and "welcome" properties, as /usr/bin/login 
> does.

I can't repeat bug on FreeBSD with OpenSSH_2.5.1p1.
It's depend from "UseLogin" options in sshd_config ? (off by default)

Must intruder run after edit .login_conf (be careful, not
.login.conf !) "cap_mkdb .login_conf"  ?

For whith version OpenSSH  exploit work ?

b.r.
 Kozin Maxim


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message