Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fix for ssh-1.2.27 symlink/bind problem

From: markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)
Date: Tue, 26 Oct 1999 00:19:02 +0200

On Wed, Oct 06, 1999 at 11:11:12AM -0400, Wietse Venema wrote:

This is the second SSH vulnerability involving bind() (the other
one involve port forwarding). They really ought to learn to perform
operations with the right privilege level.

With a little tooling (such as set_eugid()) it is quite easy.


please note, that ssh dropped support for uid-swapping beginning
with version 1.2.13:
in order to avoid leakage of the private hostkey (e.g. in core-dumps)
when running suid-root, ssh now forks into 2 processes:
        (1) the main process is running setuid root and controls:
        (2) the 'userfile' process, which runs with the id of the user and
        accesses his files (e.g. over NFS)

i think it is the wrong decision to make 'privileged' the standard
and 'non-privileged' the special case.

please note also, that the two free versions of ssh, ossh by
Bjoern Groenvall <bg () sics se> and OpenSSH from the OpenBSD-project,
do _not_ exhibit this behaviour, since they are derived from ssh-1.2.12,
the last version of the original ssh, free for commercial use.
Previous By Date Next
Previous By Thread Next

Current thread: