Date: Wed, 5 Dec 2001 09:03:18 +0200 From: titus manea <titus@edc.dnttm.ro> To: freebsd-security@FreeBSD.ORG Subject: OpenSSH UseLogin problem Message-ID: <20011205090318.A7617@unix.edc.dnttm.ro>
next in thread | raw e-mail | index | archive | help
--------------------------------------------------------------- II. Problem Description OpenSSH includes a feature by which a user can arrange for environmental variables to be set depending upon the key used for authentication. These environmental variables are specified in the =01uthorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the user's home directory on the server. This is normally safe, as this environment is passed only to the user's shell, which is invoked with user privileges. However, when the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges. ------------------------------------------------------------------------- ls -l `which login` -r-sr-xr-x 1 root wheel 22020 Oct 25 13:06 /usr/bin/login LD_ env vars like LD_LIBRARY_PATH and such do not work for setuid binaries. (ld.so man page) programs. Here is an example ( i did it as root).=20 Ok, i moved libmysqlclient.so.10 from its place to my ~. and copied=20 mysql to ~ too. [08:52:11] [titus!root]~#./mysql /usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found [08:52:19] [titus!root]~#export LD_LIBRARY_PATH=3D/home/titus [08:52:35] [titus!root]~#./mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 to server version: 3.23.41 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Bye [08:52:49] [titus!root]~#chmod +s mysql [08:52:54] [titus!root]~#./mysql /usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found [08:52:55] [titus!root]~# --=20 __________________________________________________________________________ Titus Manea <titus@2edc.com> | Eastern Digital Inc. Lab owner | http://2edc.com | +40-56-192091 =20 =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205090318.A7617>