Bugtraq mailing list archives
Re: Glibc Local Root Exploit
From: Gordon Messmer <yinyang () EBURG COM>
Date: Wed, 10 Jan 2001 14:35:47 -0800
ssh is installed SUID root so that you can use RHOSTS authentication. Like rlogin and rsh, rhosts authentication only succeeds if the remote connection was opened on a privileged port, that is, under 1024 (the protocols may be more specific than that). The theory is that if a remote machine connects to the server, _and_ that machine is listed as a trusted host, _and_ the connection originated on a privileged port, then the server can accept a connection given only a username because: the program opening the connection must be either run by root, or a SUID application. If it's SUID, then it's the system rlogin or rsh or ssh binary; users can't make SUID root binaries. If it's the system binary, then it will only give the username of the person that ran the program, so they can't "lie" about their identity. As bad as rhosts style authentication is, it's still used in a lot of places. As long as you aren't using RHOSTS style authentication, then ssh should continue to work in the default configuration. I'm not sure there is such a recourse for rlogin or rsh. In any case, removing SUID from ssh isn't a good fix, since any other SUID root application that resolves hostsnames will still be affected (like rsh or rlogin ;) On Wed, 10 Jan 2001, Pedro Margate wrote:
The implementations of ssh that I'm familiar with (ssh and OpenSSH) install the ssh binary as suid root by default. This can be disabled during configuration or after the fact with chmod. I believe that would prevent this exploit from operating. I've turned off the suid bit on every ssh installation I've performed and it seems to work the same. I'm not sure what reason ssh has to be suid root, nobody I've asked has any idea.
-- If I had a dollar for every brain that you don't have, I'd have one dollar. - Squidward to SpongeBob
Current thread:
- Glibc Local Root Exploit Charles Stevenson (Jan 10)
- Re: Glibc Local Root Exploit Thomas T. Veldhouse (Jan 10)
- Re: Glibc Local Root Exploit Ben Collins (Jan 10)
- Re: Glibc Local Root Exploit Pedro Margate (Jan 10)
- Re: Glibc Local Root Exploit Gordon Messmer (Jan 10)
- Re: Glibc Local Root Exploit Philip Rowlands (Jan 10)
- Re: Glibc Local Root Exploit Ari Saastamoinen (Jan 10)
- Re: Glibc Local Root Exploit Matt Zimmerman (Jan 12)
- Re: Glibc Local Root Exploit Jerry Connolly (Jan 10)
- Veritas BackupExec (remote DoS) oh3mqu+bugtraq (Jan 15)
- Re: Glibc Local Root Exploit Joe (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Digital Overdrive (Jan 10)
- Re: Glibc Local Root Exploit Brian (Jan 10)
- <Possible follow-ups>
- Re: Glibc Local Root Exploit Ben Greenbaum (Jan 10)
(Thread continues...)