Bugtraq mailing list archives
Re: SSH allows deletion of other users files...
From: sarnold () wirex com
Date: Mon, 4 Jun 2001 15:17:04 -0700
On Mon, Jun 04, 2001 at 11:19:37AM -0400, David F. Skoll wrote:
I could not duplicate this with OpenSSH 2.9p1-1 on Red Hat 6.2
David (and other bugtraq readers), we think we have found some additional information that is important in tracking the source of the problem. The problem code is invoked in the X forwarding of ssh. If you try again, this time passing -X as a command line argument to the ssh client, you may find different results. Depending upon the user's combination of ssh_config and the server's sshd_config, this may or may not be (quickly) exploitable on your system. [1] Running ssh -X will create the /tmp/ssh-XXXXXXXX directory that is needed for the exploit. Another thing to note: Solar Designer's Openwall patch for the 2.2.x series of Linux kernels effectively prevents this exploit with a kernel syslog entry similar to: Security: not followed symlink of 5049.5050 by UID 0, EUID 0, process sshd:20264 The versions of OpenSSH we have found to be vulnerable are: 2.9p1, 2.5.2p2, 2.3.0p1 Cheers! [1]: I seem to recall some changes in the X forwarding code in OpenSSH recently (last year or so) that affects how the client and server negotiate X forwarding, specifically that the sshd_config file may not be able to prevent X forwarding, possibly depending upon the version of sshd. It may have been the X client was not able to prevent X forwarding, depending upon the version of ssh. Disabling X forwarding in the configuration files may or may not disable this exploit.
Current thread:
- SSH allows deletion of other users files... zen-parse (Jun 04)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)
- Re: SSH allows deletion of other users files... Dan Astoorian (Jun 05)
- Re: SSH allows deletion of other users files... Jerry Connolly (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 05)
- Re: SSH allows deletion of other users files... aleph1 (Jun 05)
- Re: SSH allows deletion of other users files... David F. Skoll (Jun 04)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 04)
- Re: SSH / X11 auth: needless complexity -> security problems? Peter W (Jun 05)
- Re: SSH / X11 auth: needless complexity -> security problems? Markus Friedl (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Theo de Raadt (Jun 10)
- Message not available
- Message not available
- Re: SSH / X11 auth: needless complexity -> security problems? Dale Southard (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Casper Dik (Jun 10)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)