Bugtraq mailing list archives

Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

From: syl () ALCOR CONCORDIA CA (Sylvain Robitaille)
Date: Mon, 4 Oct 1999 12:36:59 -0400


Chris Keane wrote:

Surely this still isn't ideal, though?  It now won't overwrite root-owned
files, so the security hazard isn't there, but anyone on the system can
still fool a user into overwriting one of his own files, which is not
great.


No. The code in newchannels.c checks to make sure that the directory
where the socket is about to be created is owned by the user, and
readable/writable only to this user. A user could create a symbolic
link that points to some file in a directory they already have write
permission to, but that's no big feat. (Existing files aren't
overwritten by bind() either, even when symlinks are followed. If the
symlink target exists, bind() returns "address in use". At least that's
the case on Digital Unix.)

Jeff's patch implements an approach that Dan Astoorian suggested to me
off the list, and we both agree it is a reasonable approach.

--
----------------------------------------------------------------------
Sylvain Robitaille                              syl () alcor concordia ca

Systems Manager                                   Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------

Current thread:

RFP9904: TeamTrack webserver vulnerability, (continued)
- - RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
  - Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Toomas Kiisk (Oct 05)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Olaf Seibert (Oct 04)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
    - Weakness In "The Matrix" Screensaver For Windows Boyce, Nick (Oct 04)
    - Re: Weakness In "The Matrix" Screensaver For Windows Glenn Walker (Oct 05)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Sep 30)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Chris Keane (Oct 01)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Oct 04)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 04)
    - FireWall-1 weakness? Rosner, D (Oct 04)
  - WIn98 port security query Jay R. Ashworth (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)