5181572 2000-06-10 09:23 /100 rader/ Postmaster
Mottagare: Bugtraq (import) <11239>
Ärende: OpenSSH's UseLogin option allows remote access with roo
------------------------------------------------------------
privilege.
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000609170629.A4933@folly.informatik.uni-erlangen.de>
Date: Fri, 9 Jun 2000 17:06:30 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: misc@openbsd.org, openssh-unix-dev@mindrot.org
To: BUGTRAQ@SECURITYFOCUS.COM
OpenSSH's UseLogin option allows remote access with root privilege.
1. Systems affected:
The default installation of OpenSSH is not vulnerable, since
UseLogin defaults to 'no'. However, if UseLogin is enabled,
all versions of OpenSSH prior to 2.1.1 are affected.
2. Description:
If the UseLogin option is enabled the OpenSSH server (sshd)
does not switch to the uid of the user logging in. Instead,
sshd relies on login(1) to do the job. However, if the user
specifies a command for remote execution login(1) cannot
be used and sshd fails to set the correct user id. The
command is run with the same privilege as sshd (usually
with root privilege).
3. Impact:
If the administrator enables UseLogin users can get privileged
access to the server running sshd.
4. Short Term Solution:
Do not enable UseLogin on your machines or disable UseLogin
again in /etc/sshd_config:
UseLogin no
5. Solution:
Upgrade to OpenSSH-2.1.1 or apply the attached patch.
OpenSSH-2.1.1 is available from www.openssh.com.
Appendix:
1. OpenSSH-1.2.2
--- sshd.c.orig Thu Jan 20 18:58:39 2000
+++ sshd.c Tue Jun 6 10:12:00 2000
@@ -2231,6 +2231,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
2. OpenSSH-1.2.3
--- sshd.c.orig Mon Mar 6 22:11:17 2000
+++ sshd.c Tue Jun 6 10:14:07 2000
@@ -2250,6 +2250,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
3. OpenSSH-2.1.0
--- session.c.orig Wed May 3 20:03:07 2000
+++ session.c Tue Jun 6 10:10:50 2000
@@ -744,6 +744,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
EOF
(5181572) ------------------------------------------
5182526 2000-06-10 21:52 /22 rader/ Postmaster
Mottagare: Bugtraq (import) <11257>
Ärende: Re: OpenSSH's UseLogin option allows remote access with roo
------------------------------------------------------------
privilege.
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006101044140.4808-100000@bochum.redhat.de>
Date: Sat, 10 Jun 2000 10:45:31 +0200
Reply-To: Bernhard Rosenkraenzer <bero@REDHAT.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Bernhard Rosenkraenzer <bero@REDHAT.DE>
X-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000609170629.A4933@folly.informatik.uni-erlangen.de>
On Fri, 9 Jun 2000, Markus Friedl wrote:
> OpenSSH's UseLogin option allows remote access with root privilege.
Updated Red Hat Linux packages are now available at
ftp://ftp.redhat.de/pub/rh-addons/security/current
(5182526) ------------------------------------------
5182585 2000-06-10 22:35 /71 rader/ Postmaster
Mottagare: Bugtraq (import) <11258>
Ärende: CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mail-Followup-To: Andreas Hasenack <andreas@conectiva.com.br>
bugtraq@securityfocus.com, lwn@lwn.net, bos@sekure.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
Message-ID: <20000610141156.F3275@conectiva.com.br>
Date: Sat, 10 Jun 2000 14:11:56 -0300
Reply-To: Andreas Hasenack <andreas@CONECTIVA.COM.BR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Andreas Hasenack <andreas@CONECTIVA.COM.BR>
X-To: lwn@lwn.net, bos@sekure.org
To: BUGTRAQ@SECURITYFOCUS.COM
----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
----------------------------------------------------------------------
PACKAGE: openssh
SUMMARY : "UseLogin" option allows remote execution
of commands as root
DATE : 2000-06-10
AFFECTED CONECTIVA VERSIONS : 5.0
----------------------------------------------------------------------
DESCRIPTION
Openssh's default installation doesn't have this problem.
If the "UseLogin" option is used, then the ssh server won't drop
its root privileges, instead relying on the login program to do
so. But if the user specifies a command to be executed during the
ssh session, the login program won't be used and the program will
be run with full root privileges.
SOLUTION
Users with the "UseLogin" option set to "no" in /etc/ssh/sshd_config
are not vulnerable. If, however, this option is needed, then openssh
MUST be upgraded IMMEDIATELY.
Updated packages for openssl are also provided to satisfy openssh's
dependencies.
DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm
DIRECT LINK TO THE SOURCE PACKAGE
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm
----------------------------------------------------------------------
All packages are signed with Conectiva's PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html
----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br
(5182585) ------------------------------------------(Ombruten)
5184791 2000-06-12 08:36 /80 rader/ Postmaster
Mottagare: Bugtraq (import) <11266>
Ärende: Re: OpenSSH's UseLogin option allows remote access with roo
------------------------------------------------------------
privilege.
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mail-Followup-To: BugTraq <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH"
Content-Disposition: inline
User-Agent: Mutt/1.2i
X-No-Archive: Yes
X-Eric-Conspiracy: There is no conspiracy -- only ZUUL.
X-URL: http://www.babcom.com/alaric/
X-PGP-Fingerprint: 2105 C6FC 945D 2A7A 0738 9BB8 D037 CE8E EFA1 3249
X-PGP-Key-FTP-URL: ftp://ftp.babcom.com/pub/pgpkeys/alaric.asc
X-PGP-Key-HTTP-URL: http://www.babcom.com/alaric/pgp.html
X-Copyright: This message may not be reproduced, in part or in whole
for any commercial purpose without prior written permission.
Prior permission for BUGTRAQ is implicit. X-NoSpam: No
spam is accepted at this site. All spammers will be permanentl
mail-blocked.
X-UCE-Policy: The sending of any unsolicited email advertising messages to thi
domain will result in the imposition of civil liability agains
the sender in accordance with Cal. Bus. & Prof. Code Sectio
17538.45.
Message-ID: <20000610145425.B14679@babylon5.babcom.com>
Date: Sat, 10 Jun 2000 14:54:25 -0700
Reply-To: Phil Stracchino <alaric@BABCOM.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Phil Stracchino <alaric@BABCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006101044140.4808-100000@bochum.redhat.de>; fro
bero@REDHAT.DE on Sat, Jun 10, 2000 at 10:45:31AM +0200
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Sat, Jun 10, 2000 at 10:45:31AM +0200, Bernhard Rosenkraenzer wrote:
> On Fri, 9 Jun 2000, Markus Friedl wrote:
>
> > OpenSSH's UseLogin option allows remote access with root privilege.
>
> Updated Red Hat Linux packages are now available at
>
> ftp://ftp.redhat.de/pub/rh-addons/security/current
The previously-posted patch is for the OpenBSD version, not the
portable version. The attached patch will update portable version
2.1.0p2 (the latest on the sites, at least as of last night) to
2.1.1p1.
--
Linux Now! ..........Because friends don't let friends use Microsoft.
phil stracchino -- the renaissance man -- mystic zen biker geek
Vr00m: 2000 Honda CBR929RR -- Cage: 2000 Dodge Intrepid R/T
Previous vr00mage: 1986 VF500F (sold), 1991 VFR750F3 (foully murdered)
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="session.c.patch"
*** session.c.orig Fri May 19 19:49:31 2000
--- session.c Fri Jun 9 23:45:28 2000
***************
*** 809,814 ****
--- 809,818 ----
char *argv[10];
#ifndef USE_PAM /* pam_nologin handles this */
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
--ReaqsoxgOBHFXBhH--
(5184791) ------------------------------------------(Ombruten)
5186925 2000-06-12 19:26 /52 rader/ Postmaster
Mottagare: Bugtraq (import) <11269>
Ärende: Re: OpenSSH's UseLogin option allows remote access with roo
------------------------------------------------------------
privilege.
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="pf9I7BMVVzbSWLtt"
Message-ID: <20000612115800.A19359@folly.informatik.uni-erlangen.de>
Date: Mon, 12 Jun 2000 11:58:00 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: Phil Stracchino <alaric@BABCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000610145425.B14679@babylon5.babcom.com>; fro
alaric@BABCOM.COM on Sat, Jun 10, 2000 at 02:54:25PM -0700
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
On Sat, Jun 10, 2000 at 02:54:25PM -0700, Phil Stracchino wrote:
> *** session.c.orig Fri May 19 19:49:31 2000
> --- session.c Fri Jun 9 23:45:28 2000
this is a bad patch, the check for (options.use_login && command
!= NULL) should be compiled into sshd even if USE_PAM is defined.
a correct patch is attached.
moreover, i got some complaints from people who ship OpenSSH and
did not get notified in advance. we don't all who ship OpenSSH,
so please tell me at <markus@openssh.com> if you want to get notified
in the future.
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=U1
--- session.c-orig Mon Jun 12 11:46:32 2000
+++ session.c Mon Jun 12 11:46:35 2000
@@ -812,6 +812,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
#ifndef USE_PAM /* pam_nologin handles this */
f = fopen("/etc/nologin", "r");
if (f) {
--pf9I7BMVVzbSWLtt--
(5186925) ------------------------------------------