On Mon, Jun 04, 2001 at 11:19:37AM -0400, David F. Skoll wrote: > I could not duplicate this with OpenSSH 2.9p1-1 on Red Hat 6.2 David (and other bugtraq readers), we think we have found some additional information that is important in tracking the source of the problem. The problem code is invoked in the X forwarding of ssh. If you try again, this time passing -X as a command line argument to the ssh client, you may find different results. Depending upon the user's combination of ssh_config and the server's sshd_config, this may or may not be (quickly) exploitable on your system. [1] Running ssh -X will create the /tmp/ssh-XXXXXXXX directory that is needed for the exploit. Another thing to note: Solar Designer's Openwall patch for the 2.2.x series of Linux kernels effectively prevents this exploit with a kernel syslog entry similar to: Security: not followed symlink of 5049.5050 by UID 0, EUID 0, process sshd:20264 The versions of OpenSSH we have found to be vulnerable are: 2.9p1, 2.5.2p2, 2.3.0p1 Cheers! [1]: I seem to recall some changes in the X forwarding code in OpenSSH recently (last year or so) that affects how the client and server negotiate X forwarding, specifically that the sshd_config file may not be able to prevent X forwarding, possibly depending upon the version of sshd. It may have been the X client was not able to prevent X forwarding, depending upon the version of ssh. Disabling X forwarding in the configuration files may or may not disable this exploit.
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 10:43:03 PDT