Re: SSH allows deletion of other users files...

• Previous message: zen-parseat_private: "OpenSSH_2.5.2p2 RH7.0 <- version info"
• In reply to: Jason DiCioccio: "Re: SSH allows deletion of other users files..."
• Next in thread: Markus Friedl: "Re: SSH allows deletion of other users files..."
• Next in thread: David F. Skoll: "Re: SSH allows deletion of other users files..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700, 
> Also: SSH Version OpenSSH_2.3.0 greenat_private 20010321 -- That comes 
> with FreeBSD 4.3-STABLE
> is not vulnerable at first glance.  It does not appear to use /tmp files 
> as yours does and therefore is not vulnerable.
 
I tested it on OpenSSH_2.5.2 on OpenBSD and it worked.  I had to enable X
forwarding on the client and server before the remote machine would create
(and attempt to unlink() ) the cookies file.

The offending code is in session.c in the xauthfile_cleanup_proc() function

<SNIP>
/*
 * Remove local Xauthority file.
 */
void
xauthfile_cleanup_proc(void *ignore)
{
    debug("xauthfile_cleanup_proc called");
 
    if (xauthfile != NULL) {
        char *p;
        unlink(xauthfile);
</SNIP>

where xauthfile points to a buffer containing the name of the cookies file.

Cheers.

-- 
Jerry Connolly                  Computer Incident Response Team
jerry.connollyat_private       Eircom Multimedia

• Next message: Juergen P. Meier: "Re: $HOME buffer overflow in SunOS 5.8 x86"
• Previous message: zen-parseat_private: "OpenSSH_2.5.2p2 RH7.0 <- version info"
• In reply to: Jason DiCioccio: "Re: SSH allows deletion of other users files..."
• Next in thread: Markus Friedl: "Re: SSH allows deletion of other users files..."
• Next in thread: David F. Skoll: "Re: SSH allows deletion of other users files..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:08:22 PDT