Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH allows deletion of other users files...

From: Jerry Connolly <jerry.connolly () eircom net>
Date: Tue, 5 Jun 2001 14:31:42 +0100
Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700, 

Also: SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321 -- That comes 
with FreeBSD 4.3-STABLE
is not vulnerable at first glance.  It does not appear to use /tmp files 
as yours does and therefore is not vulnerable.

 
I tested it on OpenSSH_2.5.2 on OpenBSD and it worked.  I had to enable X
forwarding on the client and server before the remote machine would create
(and attempt to unlink() ) the cookies file.

The offending code is in session.c in the xauthfile_cleanup_proc() function

<SNIP>
/*
 * Remove local Xauthority file.
 */
void
xauthfile_cleanup_proc(void *ignore)
{
    debug("xauthfile_cleanup_proc called");
 
    if (xauthfile != NULL) {
        char *p;
        unlink(xauthfile);
</SNIP>

where xauthfile points to a buffer containing the name of the cookies file.

Cheers.

-- 
Jerry Connolly                  Computer Incident Response Team
jerry.connolly () eircom net       Eircom Multimedia
Previous By Date Next
Previous By Thread Next

Current thread: