Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Dec 2001 09:03:18 +0200
From:      titus manea <titus@edc.dnttm.ro>
To:        freebsd-security@FreeBSD.ORG
Subject:   OpenSSH UseLogin problem
Message-ID:  <20011205090318.A7617@unix.edc.dnttm.ro>
next in thread | raw e-mail | index | archive | help 
---------------------------------------------------------------
II.  Problem Description

OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication.  These environmental variables are specified in the
=01uthorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server.  This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.

However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges.  Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.


-------------------------------------------------------------------------

ls -l `which login`

-r-sr-xr-x  1 root  wheel  22020 Oct 25 13:06 /usr/bin/login

LD_ env vars like LD_LIBRARY_PATH and such do not work for setuid binaries.
(ld.so man page)
programs. Here is an example ( i did it as root).=20


Ok, i moved libmysqlclient.so.10 from its place to my ~. and copied=20
mysql to ~ too.

[08:52:11] [titus!root]~#./mysql
/usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found
[08:52:19] [titus!root]~#export LD_LIBRARY_PATH=3D/home/titus
[08:52:35] [titus!root]~#./mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 3.23.41

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> Bye
[08:52:49] [titus!root]~#chmod +s mysql
[08:52:54] [titus!root]~#./mysql
/usr/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.10" not found
[08:52:55] [titus!root]~#



--=20

__________________________________________________________________________
 Titus Manea  <titus@2edc.com>       |  Eastern Digital Inc.
         Lab owner                   |   http://2edc.com
                                     |    +40-56-192091          =20
       =20

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205090318.A7617>