From owner-freebsd-security Tue Dec 4 23: 3:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id 2D81337B405 for ; Tue, 4 Dec 2001 23:03:24 -0800 (PST) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id JAA28674 for ; Wed, 5 Dec 2001 09:03:21 +0200 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2) id fB573Kv07702 for freebsd-security@freebsd.org; Wed, 5 Dec 2001 09:03:20 +0200 (EET) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2av) id fB573Iq07688 for freebsd-security@FreeBSD.ORG; Wed, 5 Dec 2001 09:03:18 +0200 (EET) (envelope-from titus) Date: Wed, 5 Dec 2001 09:03:18 +0200 From: titus manea To: freebsd-security@FreeBSD.ORG Subject: OpenSSH UseLogin problem Message-ID: <20011205090318.A7617@unix.edc.dnttm.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------------------------------------------------------- II. Problem Description OpenSSH includes a feature by which a user can arrange for environmental variables to be set depending upon the key used for authentication. These environmental variables are specified in the =01uthorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the user's home directory on the server. This is normally safe, as this environment is passed only to the user's shell, which is invoked with user privileges. However, when the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges. ------------------------------------------------------------------------- ls -l `which login` -r-sr-xr-x 1 root wheel 22020 Oct 25 13:06 /usr/bin/login LD_ env vars like LD_LIBRARY_PATH and such do not work for setuid binaries. (ld.so man page) programs. Here is an example ( i did it as root).=20 Ok, i moved libmysqlclient.so.10 from its place to my ~. and copied=20 mysql to ~ too. [08:52:11] [titus!root]~#./mysql /usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found [08:52:19] [titus!root]~#export LD_LIBRARY_PATH=3D/home/titus [08:52:35] [titus!root]~#./mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 to server version: 3.23.41 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Bye [08:52:49] [titus!root]~#chmod +s mysql [08:52:54] [titus!root]~#./mysql /usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found [08:52:55] [titus!root]~# --=20 __________________________________________________________________________ Titus Manea | Eastern Digital Inc. Lab owner | http://2edc.com | +40-56-192091 =20 =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message