Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

[egriffis () COMMONTECH COM (Eric Griffis)]

Hello, All:

First-time post, but I think it's well worth it. Since nobody has directly
posted an implementable resolution, I'm sending 2 simple patches to repair
the newchannels.c and ssh-agent.c files, which are responsible for writing
to the symlink on vulnerable systems. I agree that this is definitely more
of a system issue and all, but the fix to ssh is a real simple one (which
raises the question 'why didn't SSH Comm. just fix it?'), and I haven't
looked at kernel source since 0.something. So, here's what they do:

About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c
(ssh-agent1) do an lstat on the socket filename and fail auth forwarding
(with a syslogged error) if a symbolic link is found.

I have no idea how ethical/legal/moral/whatever posting these patches are,
but I figure it's better than enduring denial-of-service, and I did search
high and low for any sort of warnings not to. If I've done anything
inappropriate here, please let me know.

Eric Griffis
egriffis () commontech com

P.S- real simple install for these. Regular old diff patches. Just cd into
ssh-1.2.27 source directory and type:

patch < /path/to/patch-file

Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over
your current sshd1 and ssh-agent1 files.

-----Original Message-----
From: Solar Designer <solar () FALSE COM>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Tuesday, September 28, 1999 1:41 PM
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

> Hi,
>
> > This is from a post I made to BugTraq on September 17, entitled
> > "A few bugs...".  If you're running Linux, it appears kernels pre 2.1
will
> > not be affected by this bug as they do not follow symlinks when creating
> > UNIX domain sockets (Solar Designer pointed this out after trying the
> > exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
> > I'm generalizing).
>
> The same applies to mknod(2), which follows dangling symlinks on
> Linux 2.2, but doesn't on 2.0.  I've changed the code not to follow
> such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.
>
> As I am posting this anyway, -- other changes to the -ow patch for
> 2.2 since I've announced it here include the real exit_signal fix,
> and the TCP sequence number fix I took from 2.2.13pre14.  (Speaking
> of the latter, it's funny how most of the randomness went into the
> wrong place on the stack, and probably remained unnoticed because of
> the fairly large and unused at the time "struct tcp_opt".  2.0 isn't
> vulnerable.  Yet another reason to continue running 2.0.38.)
>
> Signed,
> Solar Designer

<!-- attachment="patch-newchannels.c-ssh-1.2.27" -->
<HR>
<UL>
<LI>application/octet-stream attachment: patch-newchannels.c-ssh-1.2.27
</UL>
<HR>
<UL>
<LI>application/octet-stream attachment: patch-ssh-agent.c-ssh-1.2.27
</UL>