5181572 2000-06-10 09:23 /100 rader/ Postmaster Mottagare: Bugtraq (import) <11239> Ärende: OpenSSH's UseLogin option allows remote access with roo ------------------------------------------------------------ privilege. Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <20000609170629.A4933@folly.informatik.uni-erlangen.de> Date: Fri, 9 Jun 2000 17:06:30 +0200 Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> X-To: misc@openbsd.org, openssh-unix-dev@mindrot.org To: BUGTRAQ@SECURITYFOCUS.COM OpenSSH's UseLogin option allows remote access with root privilege. 1. Systems affected: The default installation of OpenSSH is not vulnerable, since UseLogin defaults to 'no'. However, if UseLogin is enabled, all versions of OpenSSH prior to 2.1.1 are affected. 2. Description: If the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The command is run with the same privilege as sshd (usually with root privilege). 3. Impact: If the administrator enables UseLogin users can get privileged access to the server running sshd. 4. Short Term Solution: Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no 5. Solution: Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from www.openssh.com. Appendix: 1. OpenSSH-1.2.2 --- sshd.c.orig Thu Jan 20 18:58:39 2000 +++ sshd.c Tue Jun 6 10:12:00 2000 @@ -2231,6 +2231,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 2. OpenSSH-1.2.3 --- sshd.c.orig Mon Mar 6 22:11:17 2000 +++ sshd.c Tue Jun 6 10:14:07 2000 @@ -2250,6 +2250,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 3. OpenSSH-2.1.0 --- session.c.orig Wed May 3 20:03:07 2000 +++ session.c Tue Jun 6 10:10:50 2000 @@ -744,6 +744,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ EOF (5181572) ------------------------------------------ 5182526 2000-06-10 21:52 /22 rader/ Postmaster Mottagare: Bugtraq (import) <11257> Ärende: Re: OpenSSH's UseLogin option allows remote access with roo ------------------------------------------------------------ privilege. Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.21.0006101044140.4808-100000@bochum.redhat.de> Date: Sat, 10 Jun 2000 10:45:31 +0200 Reply-To: Bernhard Rosenkraenzer <bero@REDHAT.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Bernhard Rosenkraenzer <bero@REDHAT.DE> X-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000609170629.A4933@folly.informatik.uni-erlangen.de> On Fri, 9 Jun 2000, Markus Friedl wrote: > OpenSSH's UseLogin option allows remote access with root privilege. Updated Red Hat Linux packages are now available at ftp://ftp.redhat.de/pub/rh-addons/security/current (5182526) ------------------------------------------ 5182585 2000-06-10 22:35 /71 rader/ Postmaster Mottagare: Bugtraq (import) <11258> Ärende: CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mail-Followup-To: Andreas Hasenack <andreas@conectiva.com.br> bugtraq@securityfocus.com, lwn@lwn.net, bos@sekure.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Message-ID: <20000610141156.F3275@conectiva.com.br> Date: Sat, 10 Jun 2000 14:11:56 -0300 Reply-To: Andreas Hasenack <andreas@CONECTIVA.COM.BR> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Andreas Hasenack <andreas@CONECTIVA.COM.BR> X-To: lwn@lwn.net, bos@sekure.org To: BUGTRAQ@SECURITYFOCUS.COM ---------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT ---------------------------------------------------------------------- PACKAGE: openssh SUMMARY : "UseLogin" option allows remote execution of commands as root DATE : 2000-06-10 AFFECTED CONECTIVA VERSIONS : 5.0 ---------------------------------------------------------------------- DESCRIPTION Openssh's default installation doesn't have this problem. If the "UseLogin" option is used, then the ssh server won't drop its root privileges, instead relying on the login program to do so. But if the user specifies a command to be executed during the ssh session, the login program won't be used and the program will be run with full root privileges. SOLUTION Users with the "UseLogin" option set to "no" in /etc/ssh/sshd_config are not vulnerable. If, however, this option is needed, then openssh MUST be upgraded IMMEDIATELY. Updated packages for openssl are also provided to satisfy openssh's dependencies. DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm DIRECT LINK TO THE SOURCE PACKAGE ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssh-2.1.1p1-1cl.src.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/openssl-0.9.5a-1cl.src.rpm ---------------------------------------------------------------------- All packages are signed with Conectiva's PGP key. The key can be obtained at http://www.conectiva.com.br/conectiva/contato.html ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br (5182585) ------------------------------------------(Ombruten) 5184791 2000-06-12 08:36 /80 rader/ Postmaster Mottagare: Bugtraq (import) <11266> Ärende: Re: OpenSSH's UseLogin option allows remote access with roo ------------------------------------------------------------ privilege. Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mail-Followup-To: BugTraq <bugtraq@securityfocus.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline User-Agent: Mutt/1.2i X-No-Archive: Yes X-Eric-Conspiracy: There is no conspiracy -- only ZUUL. X-URL: http://www.babcom.com/alaric/ X-PGP-Fingerprint: 2105 C6FC 945D 2A7A 0738 9BB8 D037 CE8E EFA1 3249 X-PGP-Key-FTP-URL: ftp://ftp.babcom.com/pub/pgpkeys/alaric.asc X-PGP-Key-HTTP-URL: http://www.babcom.com/alaric/pgp.html X-Copyright: This message may not be reproduced, in part or in whole for any commercial purpose without prior written permission. Prior permission for BUGTRAQ is implicit. X-NoSpam: No spam is accepted at this site. All spammers will be permanentl mail-blocked. X-UCE-Policy: The sending of any unsolicited email advertising messages to thi domain will result in the imposition of civil liability agains the sender in accordance with Cal. Bus. & Prof. Code Sectio 17538.45. Message-ID: <20000610145425.B14679@babylon5.babcom.com> Date: Sat, 10 Jun 2000 14:54:25 -0700 Reply-To: Phil Stracchino <alaric@BABCOM.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Phil Stracchino <alaric@BABCOM.COM> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <Pine.LNX.4.21.0006101044140.4808-100000@bochum.redhat.de>; fro bero@REDHAT.DE on Sat, Jun 10, 2000 at 10:45:31AM +0200 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Jun 10, 2000 at 10:45:31AM +0200, Bernhard Rosenkraenzer wrote: > On Fri, 9 Jun 2000, Markus Friedl wrote: > > > OpenSSH's UseLogin option allows remote access with root privilege. > > Updated Red Hat Linux packages are now available at > > ftp://ftp.redhat.de/pub/rh-addons/security/current The previously-posted patch is for the OpenBSD version, not the portable version. The attached patch will update portable version 2.1.0p2 (the latest on the sites, at least as of last night) to 2.1.1p1. -- Linux Now! ..........Because friends don't let friends use Microsoft. phil stracchino -- the renaissance man -- mystic zen biker geek Vr00m: 2000 Honda CBR929RR -- Cage: 2000 Dodge Intrepid R/T Previous vr00mage: 1986 VF500F (sold), 1991 VFR750F3 (foully murdered) --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="session.c.patch" *** session.c.orig Fri May 19 19:49:31 2000 --- session.c Fri Jun 9 23:45:28 2000 *************** *** 809,814 **** --- 809,818 ---- char *argv[10]; #ifndef USE_PAM /* pam_nologin handles this */ + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ --ReaqsoxgOBHFXBhH-- (5184791) ------------------------------------------(Ombruten) 5186925 2000-06-12 19:26 /52 rader/ Postmaster Mottagare: Bugtraq (import) <11269> Ärende: Re: OpenSSH's UseLogin option allows remote access with roo ------------------------------------------------------------ privilege. Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="pf9I7BMVVzbSWLtt" Message-ID: <20000612115800.A19359@folly.informatik.uni-erlangen.de> Date: Mon, 12 Jun 2000 11:58:00 +0200 Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> X-To: Phil Stracchino <alaric@BABCOM.COM> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000610145425.B14679@babylon5.babcom.com>; fro alaric@BABCOM.COM on Sat, Jun 10, 2000 at 02:54:25PM -0700 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii On Sat, Jun 10, 2000 at 02:54:25PM -0700, Phil Stracchino wrote: > *** session.c.orig Fri May 19 19:49:31 2000 > --- session.c Fri Jun 9 23:45:28 2000 this is a bad patch, the check for (options.use_login && command != NULL) should be compiled into sshd even if USE_PAM is defined. a correct patch is attached. moreover, i got some complaints from people who ship OpenSSH and did not get notified in advance. we don't all who ship OpenSSH, so please tell me at <markus@openssh.com> if you want to get notified in the future. --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=U1 --- session.c-orig Mon Jun 12 11:46:32 2000 +++ session.c Mon Jun 12 11:46:35 2000 @@ -812,6 +812,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + #ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); if (f) { --pf9I7BMVVzbSWLtt-- (5186925) ------------------------------------------