Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

From: Jeff Long (longat_private)
Date: Mon Oct 04 1999 - 10:41:41 PDT

Next message: Elias Levy: "Cactus Software's shell-lock"

Previous message: Tymm Twillman: "Time to update those CGIs again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.
--------------929FEACD82C86314874AE1C7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dan Astoorian wrote:
>
> On Thu, 30 Sep 1999 15:04:14 EDT, Eric Griffis writes:

> Jeff Long's patch is the sort of method I had in mind for fixing the
> problem properly.
>
> I'm not sure whether there are other credentials which the code should
> also be giving away--for instance, if root belongs to supplementary
> groups, then perhaps directories that are writable by those groups might
> still be attacked by the exploit.  It would be worth testing whether
> this is the case.  If so, perhaps an appropriate "initgroups(...)" would
> help?

There's been a flurry of patches for this problem but since I'd already
sent out a partially correct patch I figured I better follow up with a
more(?) correct patch.  I've added the code to fixup the concurrent
groups before and after doing the bind().  This was tested on Tru64
5.0.  Since I guess some OS'es don't have initgroups() they will need to
add the #ifdef for initgroups() to avoid it.  Also I'm not really sure
if the calls to setegid() are still necessary but I felt better just
leaving them in.

Jeff Long
--------------929FEACD82C86314874AE1C7
Content-Type: text/plain; charset=us-ascii;
 name="newchannels.c.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="newchannels.c.patch"

*** newchannels.c.original	Thu Sep 30 16:58:22 1999
--- newchannels.c	Mon Oct  4 12:23:48 1999
***************
*** 2262,2268 ****
    struct stat st, st2, parent_st;
    mode_t old_umask;
    char *last_dir;
!
    if (auth_get_socket_name() != NULL)
      fatal("Protocol error: authentication forwarding requested twice.");

--- 2262,2272 ----
    struct stat st, st2, parent_st;
    mode_t old_umask;
    char *last_dir;
!   uid_t saved_euid = 0;
!   gid_t saved_egid = 0;
!   gid_t saved_groups[NGROUPS_MAX];
!   int saved_groups_count = 0;
!
    if (auth_get_socket_name() != NULL)
      fatal("Protocol error: authentication forwarding requested twice.");

***************
*** 2411,2427 ****
       creating unix-domain sockets, you might not be able to use
       ssh-agent connections on your system */
    old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
!
!   if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
!     packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
!
!   umask(old_umask);
!
    if (directory_created)
      if (chown(".", pw->pw_uid, pw->pw_gid) < 0)
        packet_disconnect("Agent socket directory chown failed: %.100s",
                          strerror(errno));

    /* Start listening on the socket. */
    if (listen(sock, 5) < 0)
      packet_disconnect("Agent socket listen failed: %.100s", strerror(errno));
--- 2415,2450 ----
       creating unix-domain sockets, you might not be able to use
       ssh-agent connections on your system */
    old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
!
    if (directory_created)
      if (chown(".", pw->pw_uid, pw->pw_gid) < 0)
        packet_disconnect("Agent socket directory chown failed: %.100s",
                          strerror(errno));

+   saved_euid = geteuid();
+   saved_egid = getegid();
+
+   if ((saved_groups_count = getgroups(NGROUPS_MAX, saved_groups)) < 0)
+       packet_disconnect("Agent socket getgroups failed: %s.100s", strerror(errno));
+   if (initgroups(pw->pw_name, pw->pw_gid))
+       packet_disconnect("Agent socket initgroups failed: %s.100s", strerror(errno));
+
+   if (setegid(pw->pw_gid) < 0)
+       packet_disconnect("Agent socket setegid failed: %.100s", strerror(errno));
+   if (seteuid(pw->pw_uid) < 0)
+       packet_disconnect("Agent socket seteuid failed: %.100s", strerror(errno));
+   if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
+       packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
+
+   if (seteuid(saved_euid) < 0)
+       packet_disconnect("Agent socket re-seteuid failed: %.100s", strerror(errno));
+   if (setegid(saved_egid) < 0)
+       packet_disconnect("Agent socket re-setegid failed: %.100s", strerror(errno));
+   if (setgroups(saved_groups_count, saved_groups) < 0)
+       packet_disconnect("Agent socket setgroups failed: %s.100s", strerror(errno));
+
+   umask(old_umask);
+
    /* Start listening on the socket. */
    if (listen(sock, 5) < 0)
      packet_disconnect("Agent socket listen failed: %.100s", strerror(errno));

--------------929FEACD82C86314874AE1C7--

Next message: Elias Levy: "Cactus Software's shell-lock"
Previous message: Tymm Twillman: "Time to update those CGIs again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:39 PDT