This is a multi-part message in MIME format. ------=_NextPart_000_0038_01BF09DF.A68D5360 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hello, All: First-time post, but I think it's well worth it. Since nobody has directly posted an implementable resolution, I'm sending 2 simple patches to repair the newchannels.c and ssh-agent.c files, which are responsible for writing to the symlink on vulnerable systems. I agree that this is definitely more of a system issue and all, but the fix to ssh is a real simple one (which raises the question 'why didn't SSH Comm. just fix it?'), and I haven't looked at kernel source since 0.something. So, here's what they do: About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c (ssh-agent1) do an lstat on the socket filename and fail auth forwarding (with a syslogged error) if a symbolic link is found. I have no idea how ethical/legal/moral/whatever posting these patches are, but I figure it's better than enduring denial-of-service, and I did search high and low for any sort of warnings not to. If I've done anything inappropriate here, please let me know. Eric Griffis egriffisat_private P.S- real simple install for these. Regular old diff patches. Just cd into ssh-1.2.27 source directory and type: patch < /path/to/patch-file Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over your current sshd1 and ssh-agent1 files. -----Original Message----- From: Solar Designer <solarat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Tuesday, September 28, 1999 1:41 PM Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] >Hi, > >> This is from a post I made to BugTraq on September 17, entitled >> "A few bugs...". If you're running Linux, it appears kernels pre 2.1 will >> not be affected by this bug as they do not follow symlinks when creating >> UNIX domain sockets (Solar Designer pointed this out after trying the >> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there >> I'm generalizing). > >The same applies to mknod(2), which follows dangling symlinks on >Linux 2.2, but doesn't on 2.0. I've changed the code not to follow >such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6. > >As I am posting this anyway, -- other changes to the -ow patch for >2.2 since I've announced it here include the real exit_signal fix, >and the TCP sequence number fix I took from 2.2.13pre14. (Speaking >of the latter, it's funny how most of the randomness went into the >wrong place on the stack, and probably remained unnoticed because of >the fairly large and unused at the time "struct tcp_opt". 2.0 isn't >vulnerable. Yet another reason to continue running 2.0.38.) > >Signed, >Solar Designer ------=_NextPart_000_0038_01BF09DF.A68D5360 Content-Type: application/octet-stream; name="patch-newchannels.c-ssh-1.2.27" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="patch-newchannels.c-ssh-1.2.27" *** newchannels.c.old Tue Sep 28 18:26:34 1999 --- newchannels.c Tue Sep 28 18:13:43 1999 *************** int auth_input_request_forwarding(struct *** 2260,2264 **** int sock, newch, directory_created; struct sockaddr_un sunaddr; ! struct stat st, st2, parent_st; mode_t old_umask; char *last_dir; --- 2260,2264 ---- int sock, newch, directory_created; struct sockaddr_un sunaddr; ! struct stat st, st2, st3, parent_st; mode_t old_umask; char *last_dir; *************** int auth_input_request_forwarding(struct *** 2413,2416 **** --- 2413,2425 ---- old_umask =3D = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); =20 + /* Check for dangling symlink, or other funny stuff */ + if (lstat(sunaddr.sun_path, &st3) =3D=3D 0) + { + error("* Remote error: lstat %.100s problem: symlink exists!", + sunaddr.sun_path); + packet_send_debug("* Remote error: Authentication fowarding = disabled."); + return 0; + } +=20 if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < = 0) packet_disconnect("Agent socket bind failed: %.100s", = strerror(errno)); ------=_NextPart_000_0038_01BF09DF.A68D5360 Content-Type: application/octet-stream; name="patch-ssh-agent.c-ssh-1.2.27" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch-ssh-agent.c-ssh-1.2.27" *** ssh-agent.c.old Tue Sep 28 18:26:44 1999 --- ssh-agent.c Tue Sep 28 18:18:46 1999 *************** int main(int ac, char **av) *** 746,749 **** --- 746,759 ---- sunaddr.sun_family = AF_UNIX; strncpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path)); + + /* Check for dangling symlink, or other funny stuff */ + if (lstat(sunaddr.sun_path, &st) == 0) + { + fprintf(stderr, + "lstat %.100s problem: symlink exists!", + sunaddr.sun_path); + goto fail_socket_setup; + } + if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) { ------=_NextPart_000_0038_01BF09DF.A68D5360--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:56 PDT