Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

[egriffis () COMMONTECH COM (Eric Griffis)]

This race condition was pointed out to me a little while before my message
made it to the list, and I am still puzzled as to how one would get the
timing right to perform such a maneuvre. Is there a way to somehow detect
that there's been an lstat performed without being superuser?

Also, I think the amount of processor time it takes to create a symbolic
link is multiple times larger than the amount of time between the return of
lstat and actual socket creation, which would require the sshd process to
hang temporarily or be seriously slowed down. Is that feasible?

How would these things be done, or is there something I missed? I'm very
familiar with C and the unix environment, but the security-related aspects
still puzzle me somewhat. Even though this isn't the most critical security
issue, I appreciate any feedback.

Okay, I see a few other messages about popen, permissions and such... At the
moment, I believe disabling remote agent services entirely is the only sure
way to remedy the whole issue, which will require password authentication.
And sshd needs to be run as root to perform authentication. I don't think
there's an easy way around that one.

-Eric