Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

From: Eric Griffis (egriffisat_private)
Date: Tue Sep 28 1999 - 18:31:16 PDT

Next message: Brock Tellier: "Multiple Vendor ARCAD permission problems"

Previous message: Keith Stevenson: "Re: Fw: Remote bufferoverflow exploit for ftpd from AIX 4.3.2"
Maybe in reply to: Marc SPARC: "[Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Next in thread: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hello, All:

First-time post, but I think it's well worth it. Since nobody has directly
posted an implementable resolution, I'm sending 2 simple patches to repair
the newchannels.c and ssh-agent.c files, which are responsible for writing
to the symlink on vulnerable systems. I agree that this is definitely more
of a system issue and all, but the fix to ssh is a real simple one (which
raises the question 'why didn't SSH Comm. just fix it?'), and I haven't
looked at kernel source since 0.something. So, here's what they do:

About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c
(ssh-agent1) do an lstat on the socket filename and fail auth forwarding
(with a syslogged error) if a symbolic link is found.

I have no idea how ethical/legal/moral/whatever posting these patches are,
but I figure it's better than enduring denial-of-service, and I did search
high and low for any sort of warnings not to. If I've done anything
inappropriate here, please let me know.

Eric Griffis
egriffisat_private

P.S- real simple install for these. Regular old diff patches. Just cd into
ssh-1.2.27 source directory and type:

patch < /path/to/patch-file

Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over
your current sshd1 and ssh-agent1 files.



-----Original Message-----
From: Solar Designer <solarat_private>
To: BUGTRAQat_private <BUGTRAQat_private>
Date: Tuesday, September 28, 1999 1:41 PM
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]


>Hi,
>
>> This is from a post I made to BugTraq on September 17, entitled
>> "A few bugs...".  If you're running Linux, it appears kernels pre 2.1
will
>> not be affected by this bug as they do not follow symlinks when creating
>> UNIX domain sockets (Solar Designer pointed this out after trying the
>> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
>> I'm generalizing).
>
>The same applies to mknod(2), which follows dangling symlinks on
>Linux 2.2, but doesn't on 2.0.  I've changed the code not to follow
>such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.
>
>As I am posting this anyway, -- other changes to the -ow patch for
>2.2 since I've announced it here include the real exit_signal fix,
>and the TCP sequence number fix I took from 2.2.13pre14.  (Speaking
>of the latter, it's funny how most of the randomness went into the
>wrong place on the stack, and probably remained unnoticed because of
>the fairly large and unused at the time "struct tcp_opt".  2.0 isn't
>vulnerable.  Yet another reason to continue running 2.0.38.)
>
>Signed,
>Solar Designer

------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: application/octet-stream;
	name="patch-newchannels.c-ssh-1.2.27"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="patch-newchannels.c-ssh-1.2.27"

*** newchannels.c.old	Tue Sep 28 18:26:34 1999
--- newchannels.c	Tue Sep 28 18:13:43 1999
*************** int auth_input_request_forwarding(struct
*** 2260,2264 ****
    int sock, newch, directory_created;
    struct sockaddr_un sunaddr;
!   struct stat st, st2, parent_st;
    mode_t old_umask;
    char *last_dir;
--- 2260,2264 ----
    int sock, newch, directory_created;
    struct sockaddr_un sunaddr;
!   struct stat st, st2, st3, parent_st;
    mode_t old_umask;
    char *last_dir;
*************** int auth_input_request_forwarding(struct
*** 2413,2416 ****
--- 2413,2425 ----
    old_umask =3D =
umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
   =20
+   /* Check for dangling symlink, or other funny stuff */
+   if (lstat(sunaddr.sun_path, &st3) =3D=3D 0)
+     {
+       error("* Remote error: lstat %.100s problem: symlink exists!",
+             sunaddr.sun_path);
+       packet_send_debug("* Remote error: Authentication fowarding =
disabled.");
+       return 0;
+     }
+=20
    if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < =
0)
      packet_disconnect("Agent socket bind failed: %.100s", =
strerror(errno));

------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: application/octet-stream;
	name="patch-ssh-agent.c-ssh-1.2.27"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="patch-ssh-agent.c-ssh-1.2.27"

*** ssh-agent.c.old	Tue Sep 28 18:26:44 1999
--- ssh-agent.c	Tue Sep 28 18:18:46 1999
*************** int main(int ac, char **av)
*** 746,749 ****
--- 746,759 ----
    sunaddr.sun_family = AF_UNIX;
    strncpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
+
+   /* Check for dangling symlink, or other funny stuff */
+   if (lstat(sunaddr.sun_path, &st) == 0)
+     {
+       fprintf(stderr,
+               "lstat %.100s problem: symlink exists!",
+               sunaddr.sun_path);
+       goto fail_socket_setup;
+     }
+
    if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
      {

------=_NextPart_000_0038_01BF09DF.A68D5360--

Next message: Brock Tellier: "Multiple Vendor ARCAD permission problems"
Previous message: Keith Stevenson: "Re: Fw: Remote bufferoverflow exploit for ftpd from AIX 4.3.2"
Maybe in reply to: Marc SPARC: "[Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Next in thread: Sylvain Robitaille: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:56 PDT