Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700, > Also: SSH Version OpenSSH_2.3.0 greenat_private 20010321 -- That comes > with FreeBSD 4.3-STABLE > is not vulnerable at first glance. It does not appear to use /tmp files > as yours does and therefore is not vulnerable. I tested it on OpenSSH_2.5.2 on OpenBSD and it worked. I had to enable X forwarding on the client and server before the remote machine would create (and attempt to unlink() ) the cookies file. The offending code is in session.c in the xauthfile_cleanup_proc() function <SNIP> /* * Remove local Xauthority file. */ void xauthfile_cleanup_proc(void *ignore) { debug("xauthfile_cleanup_proc called"); if (xauthfile != NULL) { char *p; unlink(xauthfile); </SNIP> where xauthfile points to a buffer containing the name of the cookies file. Cheers. -- Jerry Connolly Computer Incident Response Team jerry.connollyat_private Eircom Multimedia
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:08:22 PDT