Bugtraq mailing list archives
Re: Fix for ssh-1.2.27 symlink/bind problem
From: markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)
Date: Tue, 26 Oct 1999 00:19:02 +0200
On Wed, Oct 06, 1999 at 11:11:12AM -0400, Wietse Venema wrote:
This is the second SSH vulnerability involving bind() (the other one involve port forwarding). They really ought to learn to perform operations with the right privilege level. With a little tooling (such as set_eugid()) it is quite easy.
please note, that ssh dropped support for uid-swapping beginning with version 1.2.13: in order to avoid leakage of the private hostkey (e.g. in core-dumps) when running suid-root, ssh now forks into 2 processes: (1) the main process is running setuid root and controls: (2) the 'userfile' process, which runs with the id of the user and accesses his files (e.g. over NFS) i think it is the wrong decision to make 'privileged' the standard and 'non-privileged' the special case. please note also, that the two free versions of ssh, ossh by Bjoern Groenvall <bg () sics se> and OpenSSH from the OpenBSD-project, do _not_ exhibit this behaviour, since they are derived from ssh-1.2.12, the last version of the original ssh, free for commercial use.
Current thread:
- Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
- <Possible follow-ups>
- Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
- SCO UnixWare 7.1 local root exploit Brock Tellier (Oct 05)
- Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Phillip Vandry (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
- ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
- Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
- AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 29)
- DoS attack for ircd's by oversized PTR record Goblin (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 29)
- URL Live! 1.0 WebServer UNYUN (Oct 28)