Date: Fri, 09 Jun 2000 22:47:38 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Cc: security-officer@freebsd.org Subject: OpenSSH's UseLogin option allows remote access with root privilege. (fwd) Message-ID: <200006100547.e5A5lt931850@cwsys.cwsent.com>
index | next in thread | raw e-mail
This is probably important enough to be posted here too.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
------- Forwarded Message
Forwarded: Fri, 09 Jun 2000 22:34:14 -0700
Forwarded: jlcthibo@uumail.gov.bc.ca
Return-Path: cschuber@osg.gov.bc.ca
Delivery-Date: Fri Jun 9 21:18:50 2000
Received: (from uucp@localhost)
by cwsys.cwsent.com (8.10.2/8.9.1) id e5A4Io631010
for <cy@cwsys9.cwsent.com>; Fri, 9 Jun 2000 21:18:50 -0700 (PDT)
Received: from passer9.cwsent.com(10.2.2.2), claiming to be
"passer.osg.gov.bc.ca"
via SMTP by cwsys9.cwsent.com, id smtpdS31003; Fri Jun 9 21:18:47 2000
Received: (from uucp@localhost)
by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA30166
for <cy>; Fri, 9 Jun 2000 21:18:46 -0700 (PDT)
Resent-Message-Id: <200006100418.VAA30166@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be
"passer.osg.gov.bc.ca"
via SMTP by localhost.osg.gov.bc.ca, id smtpdJ30158; Fri Jun 9
21:17:46 2000
Delivery-Date: Fri, 09 Jun 2000 21:17:45 -0700
Received: (from uucp@localhost)
by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA30150
for <cschuber@passer.osg.gov.bc.ca>; Fri, 9 Jun 2000 21:17:45 -0700
(PDT)
Received: from point.osg.gov.bc.ca(142.32.102.44)
via SMTP by passer.osg.gov.bc.ca, id smtpdN30132; Fri Jun 9 21:16:52
2000
Received: (from daemon@localhost)
by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA00379
for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 9 Jun 2000 21:16:52 -0700
Received: from lists.securityfocus.com(207.126.127.68)
via SMTP by point.osg.gov.bc.ca, id smtpda00375; Fri Jun 9 21:16:43
2000
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])
by lists.securityfocus.com (Postfix) with ESMTP
id 266921F3BE; Fri, 9 Jun 2000 21:03:01 -0700 (PDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 10520414 for
BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 9 Jun 2000 21:01:17
-0700
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com
[207.126.127.78]) by
lists.securityfocus.com (Postfix) with SMTP id 9A5721EED8 for
<bugtraq@lists.securityfocus.com>; Fri, 9 Jun 2000 08:06:43
-0700
(PDT)
Received: (qmail 3224 invoked by alias); 9 Jun 2000 15:06:53 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 3213 invoked from network); 9 Jun 2000 15:06:51 -0000
Received: from nbgdi5-145-253-148-010.arcor-ip.net (HELO
folly.informatik.uni-erlangen.de) (145.253.148.10) by
mail.securityfocus.com with SMTP; 9 Jun 2000 15:06:51 -0000
Received: by folly.informatik.uni-erlangen.de (Postfix,
from userid 31451) id 9656EF97; Fri, 9 Jun 2000 17:06:30
+0200 (CEST)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
Message-ID: <20000609170629.A4933@folly.informatik.uni-erlangen.de>
Date: Fri, 9 Jun 2000 17:06:30 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Subject: OpenSSH's UseLogin option allows remote access with root
privilege.
X-To: misc@openbsd.org, openssh-unix-dev@mindrot.org
To: BUGTRAQ@SECURITYFOCUS.COM
Resent-To: cy@passer.osg.gov.bc.ca
Resent-Date: Fri, 09 Jun 2000 21:17:46 -0700
Resent-From: Cy Schubert <cschuber@osg.gov.bc.ca>
OpenSSH's UseLogin option allows remote access with root privilege.
1. Systems affected:
The default installation of OpenSSH is not vulnerable, since
UseLogin defaults to 'no'. However, if UseLogin is enabled,
all versions of OpenSSH prior to 2.1.1 are affected.
2. Description:
If the UseLogin option is enabled the OpenSSH server (sshd)
does not switch to the uid of the user logging in. Instead,
sshd relies on login(1) to do the job. However, if the user
specifies a command for remote execution login(1) cannot
be used and sshd fails to set the correct user id. The
command is run with the same privilege as sshd (usually
with root privilege).
3. Impact:
If the administrator enables UseLogin users can get privileged
access to the server running sshd.
4. Short Term Solution:
Do not enable UseLogin on your machines or disable UseLogin
again in /etc/sshd_config:
UseLogin no
5. Solution:
Upgrade to OpenSSH-2.1.1 or apply the attached patch.
OpenSSH-2.1.1 is available from www.openssh.com.
Appendix:
1. OpenSSH-1.2.2
- --- sshd.c.orig Thu Jan 20 18:58:39 2000
+++ sshd.c Tue Jun 6 10:12:00 2000
@@ -2231,6 +2231,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
2. OpenSSH-1.2.3
- --- sshd.c.orig Mon Mar 6 22:11:17 2000
+++ sshd.c Tue Jun 6 10:14:07 2000
@@ -2250,6 +2250,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
3. OpenSSH-2.1.0
- --- session.c.orig Wed May 3 20:03:07 2000
+++ session.c Tue Jun 6 10:10:50 2000
@@ -744,6 +744,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
EOF
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006100547.e5A5lt931850>