On Mon, 04 Jun 2001 12:08:26 EDT, Jason DiCioccio writes: > > Also: SSH Version OpenSSH_2.3.0 greenat_private 20010321 -- That comes > with FreeBSD 4.3-STABLE > is not vulnerable at first glance. It does not appear to use /tmp files > as yours does and therefore is not vulnerable. My testing indicates that OpenSSH 2.3.0p1 *is* vulnerable if X11 forwarding is permitted. However, the /tmp/ssh-*/cookie file is not created/removed unless X11 forwarding is enabled for the connection. Note that some vendors ship OpenSSH with X11 forwarding disabled by default *in the client*, which may be why you did not observe the problem on FreeBSD. Be sure to use the "-X" option to ssh to enable X11 forwarding in the client, and make sure you're testing from a client where $DISPLAY is pointing at an X server. The $XAUTHORITY environment variable will give the pathname to the file which is unlink()'d when the connection is closed. (For those who merely tried the literal commands submitted by zen-parseat_private, note also that the directory to be 'rm -r'd isn't simply "/tmp/ssh-XXW9hNY9", but will depend on the value of that XAUTHORITY variable; it will be different for each ssh connection.) -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djastat_private not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 10:31:55 PDT