Bugtraq mailing list archives
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
From: egriffis () COMMONTECH COM (Eric Griffis)
Date: Tue, 28 Sep 1999 18:31:16 -0700
Hello, All: First-time post, but I think it's well worth it. Since nobody has directly posted an implementable resolution, I'm sending 2 simple patches to repair the newchannels.c and ssh-agent.c files, which are responsible for writing to the symlink on vulnerable systems. I agree that this is definitely more of a system issue and all, but the fix to ssh is a real simple one (which raises the question 'why didn't SSH Comm. just fix it?'), and I haven't looked at kernel source since 0.something. So, here's what they do: About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c (ssh-agent1) do an lstat on the socket filename and fail auth forwarding (with a syslogged error) if a symbolic link is found. I have no idea how ethical/legal/moral/whatever posting these patches are, but I figure it's better than enduring denial-of-service, and I did search high and low for any sort of warnings not to. If I've done anything inappropriate here, please let me know. Eric Griffis egriffis () commontech com P.S- real simple install for these. Regular old diff patches. Just cd into ssh-1.2.27 source directory and type: patch < /path/to/patch-file Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over your current sshd1 and ssh-agent1 files. -----Original Message----- From: Solar Designer <solar () FALSE COM> To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM> Date: Tuesday, September 28, 1999 1:41 PM Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Hi,This is from a post I made to BugTraq on September 17, entitled "A few bugs...". If you're running Linux, it appears kernels pre 2.1
will
not be affected by this bug as they do not follow symlinks when creating UNIX domain sockets (Solar Designer pointed this out after trying the exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there I'm generalizing).The same applies to mknod(2), which follows dangling symlinks on Linux 2.2, but doesn't on 2.0. I've changed the code not to follow such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6. As I am posting this anyway, -- other changes to the -ow patch for 2.2 since I've announced it here include the real exit_signal fix, and the TCP sequence number fix I took from 2.2.13pre14. (Speaking of the latter, it's funny how most of the randomness went into the wrong place on the stack, and probably remained unnoticed because of the fairly large and unused at the time "struct tcp_opt". 2.0 isn't vulnerable. Yet another reason to continue running 2.0.38.) Signed, Solar Designer
<!-- attachment="patch-newchannels.c-ssh-1.2.27" --> <HR> <UL> <LI>application/octet-stream attachment: patch-newchannels.c-ssh-1.2.27 </UL> <HR> <UL> <LI>application/octet-stream attachment: patch-ssh-agent.c-ssh-1.2.27 </UL>
Current thread:
- Team Asylum: Yahoo! Messenger DoS, (continued)
- Team Asylum: Yahoo! Messenger DoS Team Asylum (Sep 28)
- Sun's TTSESSION Vulnerability Bauer, Rich (Sep 29)
- Re: Sun's TTSESSION Vulnerability Richard L. Goerwitz (Sep 29)
- WWWBoard Elias Levy (Sep 29)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Sep 29)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 29)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Sep 29)
- Historical Bugtraq Question Alfred Huger (Sep 30)
- Microsoft Security Bulletin (MS99-041) Aleph One (Sep 30)
- mini-sql Buffer Overflow gregory duchemin (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Eric Griffis (Sep 28)