Bugtraq mailing list archives
Re: SSH allows deletion of other users files...
From: Dan Astoorian <djast () cs toronto edu>
Date: Mon, 4 Jun 2001 17:11:34 -0400
On Mon, 04 Jun 2001 12:08:26 EDT, Jason DiCioccio writes:
Also: SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321 -- That comes with FreeBSD 4.3-STABLE is not vulnerable at first glance. It does not appear to use /tmp files as yours does and therefore is not vulnerable.
My testing indicates that OpenSSH 2.3.0p1 *is* vulnerable if X11 forwarding is permitted. However, the /tmp/ssh-*/cookie file is not created/removed unless X11 forwarding is enabled for the connection. Note that some vendors ship OpenSSH with X11 forwarding disabled by default *in the client*, which may be why you did not observe the problem on FreeBSD. Be sure to use the "-X" option to ssh to enable X11 forwarding in the client, and make sure you're testing from a client where $DISPLAY is pointing at an X server. The $XAUTHORITY environment variable will give the pathname to the file which is unlink()'d when the connection is closed. (For those who merely tried the literal commands submitted by zen-parse () gmx net, note also that the directory to be 'rm -r'd isn't simply "/tmp/ssh-XXW9hNY9", but will depend on the value of that XAUTHORITY variable; it will be different for each ssh connection.) -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast () cs toronto edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
Current thread:
- SSH allows deletion of other users files... zen-parse (Jun 04)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)
- Re: SSH allows deletion of other users files... Dan Astoorian (Jun 05)
- Re: SSH allows deletion of other users files... Jerry Connolly (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 05)
- Re: SSH allows deletion of other users files... aleph1 (Jun 05)
- Re: SSH allows deletion of other users files... David F. Skoll (Jun 04)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 04)
- Re: SSH / X11 auth: needless complexity -> security problems? Peter W (Jun 05)
- Re: SSH / X11 auth: needless complexity -> security problems? Markus Friedl (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Theo de Raadt (Jun 10)
- Message not available
- Message not available
- Re: SSH / X11 auth: needless complexity -> security problems? Dale Southard (Jun 08)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)