Date: Wed, 29 Sep 1999 06:52:24 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Message-ID: <199909291352.GAA31310@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is
also "vulnerable" to bind(2) following synlinks during UNIX Domain
Socket creation. My question is: Is this an application bug, e.g. not
checking for a symlink prior to creating the socket, or would this be
an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX
Domain Sockets?
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Province of BC
"e**(i*pi)+1=0"
------- Forwarded Message
[Some header lines deleted]
Date: Mon, 27 Sep 1999 11:35:44 -0400
Reply-To: Dan Astoorian <djast@CS.TORONTO.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Dan Astoorian <djast@CS.TORONTO.EDU>
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
X-To: Marc SPARC <marc@MUCOM.CO.IL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 23 Sep 1999 22:53:16 EDT."
<37EAE79C.AB730A71@mucom.co.il>
Resent-To: cy
Resent-Date: Mon, 27 Sep 1999 13:19:02 -0700
Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca>
- -------_NextPart_10190
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
I'm surprised that nothing further has been reported to Bugtraq about
this, but the problem appears to be that under Linux, a bind() to a
Unix-domain socket will follow a dangling symlink, whereas most other
Unixes appear to return an EADDRINUSE error.
I leave it to the standards lawyers to determine whether the failing is
in the operating system for allowing the bind() to succeed, or in SSH
for not testing whether the link exists. My vote goes to the OS being
at fault, since it's easy enough for it to avoid following the link (and
no real practical reason why it *should* follow the link).
A trivial demo program that demonstrates the problem is attached. (It
needs no special privileges; run it as an unprivileged user in any
writable directory.) The program reports "okay" under Solaris 2.5.1 and
IRIX 6.5.2, "vulnerable" under RedHat 6.
- -- People shouldn't think that it's better
to have
Dan Astoorian loved and lost than never loved at all.
It's
Sysadmin, CS Lab not, it's better to have loved and won. All
djast@cs.toronto.edu the other options really suck. --Dan
Redican
- -------_NextPart_10190
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#define FPATH "./bindlinktest"
#define LPATH "./bindlinktest0"
int main(int argc, char **argv) {
int fd;
struct sockaddr_un sunaddr;
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd < 0) { perror("socket");exit(1); };
unlink(FPATH);
if (symlink(FPATH, LPATH) < 0) {
perror("symlink");exit(1);
}
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
strncpy(sunaddr.sun_path, LPATH, sizeof(sunaddr.sun_path));
if (bind(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
if (errno == EADDRINUSE) {
printf("bind() returned EADDRINUSE; this system appears to be
okay.\n");
} else {
perror("bind");
}
} else {
printf("bind() succeeded; this system appears to be vulnerable.\n");
}
close(fd)
unlink(FPATH);
unlink(LPATH);
exit(0);
}
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909291352.GAA31310>