Bugtraq mailing list archives
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Sat, 2 Oct 1999 18:11:42 +0200
On Thu, 30 Sep 1999, Eric Griffis wrote:
This race condition was pointed out to me a little while before my message made it to the list, and I am still puzzled as to how one would get the timing right to perform such a maneuvre...
I am afraid there is no way to "get the timing right" with stat() or lstat(). Unless you make the directory where the things happen immutable for a while---at least for the potential attacker. Perhaps this code in auth_input_request_forwarding() would be safe (with all the checks making sure "." is the right directory): chown(".", 0, 0); chmod(".", 700); lstat(...) etc. bind(...) etc. chown(".", pw->pw_uid, pw->pw_gid);
Also, I think the amount of processor time it takes to create a symbolic link is multiple times larger than the amount of time between the return of lstat and actual socket creation, which would require the sshd process to hang temporarily or be seriously slowed down. Is that feasible?
The context switch can happen anytime (unless the process in question is scheduled in some non-preemptive way). The probability of success is small but not zero, and it increases when many attempts are done. On the other hand, the risk may be acceptable if every failed attempt triggers a loud alarm and the odds the attacker can reset the alarm before it is noticed are small. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Eric Griffis (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Oct 01)
- Team Asylum: iHTML Merchant (Follow-up) Team Asylum (Oct 01)
- RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 01)
- Re: RFP9903: AeDebug vulnerability Matt (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- <Possible follow-ups>
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
- Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
(Thread continues...)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)