Bugtraq mailing list archives
OpenSSH's UseLogin option allows remote access with root privilege.
From: markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)
Date: Fri, 9 Jun 2000 17:06:30 +0200
OpenSSH's UseLogin option allows remote access with root privilege. 1. Systems affected: The default installation of OpenSSH is not vulnerable, since UseLogin defaults to 'no'. However, if UseLogin is enabled, all versions of OpenSSH prior to 2.1.1 are affected. 2. Description: If the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The command is run with the same privilege as sshd (usually with root privilege). 3. Impact: If the administrator enables UseLogin users can get privileged access to the server running sshd. 4. Short Term Solution: Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no 5. Solution: Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from www.openssh.com. Appendix: 1. OpenSSH-1.2.2 --- sshd.c.orig Thu Jan 20 18:58:39 2000 +++ sshd.c Tue Jun 6 10:12:00 2000 @@ -2231,6 +2231,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 2. OpenSSH-1.2.3 --- sshd.c.orig Mon Mar 6 22:11:17 2000 +++ sshd.c Tue Jun 6 10:14:07 2000 @@ -2250,6 +2250,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 3. OpenSSH-2.1.0 --- session.c.orig Wed May 3 20:03:07 2000 +++ session.c Tue Jun 6 10:10:50 2000 @@ -744,6 +744,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ EOF
Current thread:
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities, (continued)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)