Bugtraq mailing list archives

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Mon, 2 Nov 1998 20:10:02 +0100


On Sun, 6 Sep 1998, Michal Zalewski wrote:

Maybe some sshd 1.x/2.0 stupidities:
------------------------------------

Unprivledged luser could create symlink in ~/.ssh (or ~/.sshd) to
virtually any file - root's ~/.ssh entries, /dev/urandom or anything else.
Sshd, during login attempt, but before any authorization, will happily
read these files, ignoring ownership (yep, it's running at UID 0). Could
be dangerous, could be not. But even if not, still allows some interesting
DoSes from privledged UID.


sshd (at least the late versions of 1.2) invokes an extra process
assuming the right privs to read these files. Have you actually tried
this?

machine1:~/.ssh $ ls -lL
...
-r--------   1 root     sys         9393 Nov  2 17:21 authorized_keys

machine2:~ $ slogin -v machine1
...
machine1: Remote: Could not open /home/xxxx/.ssh/authorized_keys for reading.
...

Credits to some inhabitant of comp.security.ssh.

Linux kernel: execve & non-readable executables
-----------------------------------------------

Days ago - discussion about dumping executable-only processes using
linker tricks. Don't force open doors. This process, just like any
other, has 'dumpable' flag set to 1, and it could be ptraced (and
coure could be dumped). Of course, it SHOULD be threated just like
setuid process. Solution: http://dione.ids.pl/~lcamtuf/pliki/noreadx.c


<quote1>
  int init_module(void) {
    access=sys_call_table[__NR_access];
    while (sys_call_table[__NR_myexecve--]);
    sys_call_table[__NR_myexecve]=sys_call_table[__NR_execve];
    sys_call_table[__NR_execve]=_new_execve;
    return 0;
  }
</quote1>

Hmm, hmm... is this supposed to be a protection against lusers or
against lamers? Anyone can use the simple trial-and-error approach to find
the old syscall and invoke it, avoiding any extra checks the module does.

<quote2>
  NOTE: This fix has nothing to do with linker problems
        reported recently on BUGTRAQ.
</quote2>

Any patch of this kind is useless unless 1. the dynamic linker is fixed,
2. all unreadable binaries are statically linked.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."

Current thread:

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Oct 30)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Alan Cox (Nov 03)
- <Possible follow-ups>
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Pavel Kankovsky (Nov 02)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Nov 09)