Markus Friedl responded > On Mon, Jun 24, 2002 at 08:08:12PM -0400, ari wrote: > > Given the similarities with certain other security issues, > > i'm surprised this hasn't been discussed earlier. If it has, > > people simply haven't paid it enough attention. > > if you setup restricted accounts with restricted shells and allow > unrestricted writing to .ssh/** then you are lost. same > applies to ftp-only accounts where users have full control over > what's in their $HOME. > > so for restricted accounts you have to be very careful, don't > allow writing to $HOME, just to some selected sub directories. This can cause some problems for ISP's who use the user home directory for their public_html root. This of course is done to keep the number of user questions down. I've tried this 'exploit' on both Linux 2.4.14 (redhat) and Solaris 2.8 boxen, and have been unable to get a shell. The shell process is there, but fails to communicate with the network socket. *** However ***, if i replace "/bin/sh" with "ping some.ip.add.ress" and attempt the connection, i'm greeted with the following: Last login: today from somehost Sun Microsystems Inc. SunOS 5.8 ld.so.1: ping: warning: /homes/evil/.ssh/evil.so: open failed: illegal insecure pathname some.ip.add.ress is alive Connection to target closed. Since i'm not a system programmer, I don't know if the failure is due to me not setting up the tty that /bin/sh will use, or if it's related to the above message. I look forward to more information on this so that we can escalate the true issue and get it solved.
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 16:47:36 PDT