Bugtraq mailing list archives
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
From: djast () CS TORONTO EDU (Dan Astoorian)
Date: Thu, 30 Sep 1999 15:06:12 -0400
[To Aleph1: please kill my previous reply to Eric Griffis's patch; it contains mostly the same content as my reply to Sylvain Robitaille's patch, which I'd assumed you'd rejected.] Eric Griffis's patch suffers from the same race condition as Sylvain Robitaille's: the link could be created between the lstat() and the bind(). It's better than nothing, but it doesn't get rid of the whole problem. As I said before, I haven't done any testing, so I don't know if this would a) work, or b) be effective against the flaw, but: has anyone considered an approach like adding this sort of code: if (setregid(-1, pw->pw_gid) < 0 || setreuid(-1, pw->pw_uid) < 0) { ... /*error*/ } before the bind() call, and: if (setreuid(-1, 0) < 0) { ... /*error*/ }; after? (In case it's not clear, what I'm trying to do is assume the user's uid/gid for the duration of the bind(), and reacquire root privs afterwards.) -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's Sysadmin, CS Lab not, it's better to have loved and won. All djast () cs toronto edu the other options really suck. --Dan Redican
Current thread:
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy], (continued)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Oct 01)
- Team Asylum: iHTML Merchant (Follow-up) Team Asylum (Oct 01)
- RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 01)
- Re: RFP9903: AeDebug vulnerability Matt (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
- Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Toomas Kiisk (Oct 05)
- Re: Fix for ssh-1.2.27 symlink/bind problem Olaf Seibert (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
- Weakness In "The Matrix" Screensaver For Windows Boyce, Nick (Oct 04)
- Re: Weakness In "The Matrix" Screensaver For Windows Glenn Walker (Oct 05)