Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

[peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)]

On Thu, 30 Sep 1999, Eric Griffis wrote:

> This race condition was pointed out to me a little while before my message
> made it to the list, and I am still puzzled as to how one would get the
> timing right to perform such a maneuvre...

I am afraid there is no way to "get the timing right" with stat() or
lstat(). Unless you make the directory where the things happen immutable
for a while---at least for the potential attacker. Perhaps this code in
auth_input_request_forwarding() would be safe (with all the checks making
sure "." is the right directory):

   chown(".", 0, 0);
   chmod(".", 700);
   lstat(...) etc.
   bind(...) etc.
   chown(".", pw->pw_uid, pw->pw_gid);

> Also, I think the amount of processor time it takes to create a symbolic
> link is multiple times larger than the amount of time between the return of
> lstat and actual socket creation, which would require the sshd process to
> hang temporarily or be seriously slowed down. Is that feasible?

The context switch can happen anytime (unless the process in question is
scheduled in some non-preemptive way). The probability of success is small
but not zero, and it increases when many attempts are done. On the other
hand, the risk may be acceptable if every failed attempt triggers a loud
alarm and the odds the attacker can reset the alarm before it is noticed
are small.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."