Date: Fri, 09 Jun 2000 22:47:38 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Cc: security-officer@freebsd.org Subject: OpenSSH's UseLogin option allows remote access with root privilege. (fwd) Message-ID: <200006100547.e5A5lt931850@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
This is probably important enough to be posted here too. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message Forwarded: Fri, 09 Jun 2000 22:34:14 -0700 Forwarded: jlcthibo@uumail.gov.bc.ca Return-Path: cschuber@osg.gov.bc.ca Delivery-Date: Fri Jun 9 21:18:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5A4Io631010 for <cy@cwsys9.cwsent.com>; Fri, 9 Jun 2000 21:18:50 -0700 (PDT) Received: from passer9.cwsent.com(10.2.2.2), claiming to be "passer.osg.gov.bc.ca" via SMTP by cwsys9.cwsent.com, id smtpdS31003; Fri Jun 9 21:18:47 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA30166 for <cy>; Fri, 9 Jun 2000 21:18:46 -0700 (PDT) Resent-Message-Id: <200006100418.VAA30166@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdJ30158; Fri Jun 9 21:17:46 2000 Delivery-Date: Fri, 09 Jun 2000 21:17:45 -0700 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA30150 for <cschuber@passer.osg.gov.bc.ca>; Fri, 9 Jun 2000 21:17:45 -0700 (PDT) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdN30132; Fri Jun 9 21:16:52 2000 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA00379 for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 9 Jun 2000 21:16:52 -0700 Received: from lists.securityfocus.com(207.126.127.68) via SMTP by point.osg.gov.bc.ca, id smtpda00375; Fri Jun 9 21:16:43 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id 266921F3BE; Fri, 9 Jun 2000 21:03:01 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 10520414 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 9 Jun 2000 21:01:17 -0700 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 9A5721EED8 for <bugtraq@lists.securityfocus.com>; Fri, 9 Jun 2000 08:06:43 -0700 (PDT) Received: (qmail 3224 invoked by alias); 9 Jun 2000 15:06:53 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 3213 invoked from network); 9 Jun 2000 15:06:51 -0000 Received: from nbgdi5-145-253-148-010.arcor-ip.net (HELO folly.informatik.uni-erlangen.de) (145.253.148.10) by mail.securityfocus.com with SMTP; 9 Jun 2000 15:06:51 -0000 Received: by folly.informatik.uni-erlangen.de (Postfix, from userid 31451) id 9656EF97; Fri, 9 Jun 2000 17:06:30 +0200 (CEST) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Message-ID: <20000609170629.A4933@folly.informatik.uni-erlangen.de> Date: Fri, 9 Jun 2000 17:06:30 +0200 Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE> Subject: OpenSSH's UseLogin option allows remote access with root privilege. X-To: misc@openbsd.org, openssh-unix-dev@mindrot.org To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Fri, 09 Jun 2000 21:17:46 -0700 Resent-From: Cy Schubert <cschuber@osg.gov.bc.ca> OpenSSH's UseLogin option allows remote access with root privilege. 1. Systems affected: The default installation of OpenSSH is not vulnerable, since UseLogin defaults to 'no'. However, if UseLogin is enabled, all versions of OpenSSH prior to 2.1.1 are affected. 2. Description: If the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The command is run with the same privilege as sshd (usually with root privilege). 3. Impact: If the administrator enables UseLogin users can get privileged access to the server running sshd. 4. Short Term Solution: Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no 5. Solution: Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from www.openssh.com. Appendix: 1. OpenSSH-1.2.2 - --- sshd.c.orig Thu Jan 20 18:58:39 2000 +++ sshd.c Tue Jun 6 10:12:00 2000 @@ -2231,6 +2231,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 2. OpenSSH-1.2.3 - --- sshd.c.orig Mon Mar 6 22:11:17 2000 +++ sshd.c Tue Jun 6 10:14:07 2000 @@ -2250,6 +2250,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 3. OpenSSH-2.1.0 - --- session.c.orig Wed May 3 20:03:07 2000 +++ session.c Tue Jun 6 10:10:50 2000 @@ -744,6 +744,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ EOF ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006100547.e5A5lt931850>