Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)

From: Damien Miller <djm () mindrot org>
Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST)
1. Systems affected:

        Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
        if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).

        Please note that the IBM-supplied OpenSSH packages[1] are 
        not vulnerable.

2. Description:

        The default behavior of the runtime linker on AIX is to search 
        the current directory for dynamic libraries before searching 
        system paths. This is done regardless of the executable's 
        set[ug]id status.

        This behavior is insecure and extremely dangerous. It allows an 
        attacker to locally escalate their privilege level through the 
        use of replacement libraries.

        Portable OpenSSH includes configure logic to override this 
        broken behavior, but only for the native compiler. gcc uses a
        different command-line option (without changing the dangerous 
        default behavior).

3. Impact:

        Privilege escalation by local users.

4. Short-term workaround:

        Remove any set[ug]id bits from the installed binaries,
        usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH 
        may also install the 'ssh' binary as setuid.

        Please note that removing the setuid bit from ssh-keysign will 
        disable hostbased authentication. 

        Portable OpenSSH 3.6.1p2 uses the correct compiler flags to 
        avoid the dangerous linker behavior.

5. Solution:

        For the problem to be solved, the AIX linker must be changed to 
        only search system paths by default and never search the current 
        directory or user-specified paths for set[ug]id programs.

        We consider this a serious flaw in IBM's linker, and urge
        them to fix it immediately.  IBM, are you listening?

6. Credits:

        Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
        issue to our attention. Darren Tucker <dtucker () zip com au>
        contributed the fix.

[1] http://oss.software.ibm.com/developerworks/projects/opensshi
Previous By Date Next
Previous By Thread Next

Current thread: