[12039] in bugtraq
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
daemon@ATHENA.MIT.EDU (Solar Designer)
Tue Sep 28 16:25:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199909280422.IAA18746@false.com>
Date: Tue, 28 Sep 1999 08:22:01 +0400
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: tymm@COE.MISSOURI.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.05.9909261312540.119791-100000@tiger.coe.missouri.edu> from Tymm Twillman at "Sep 26,
99 04:53:44 pm"
Hi,
> This is from a post I made to BugTraq on September 17, entitled
> "A few bugs...". If you're running Linux, it appears kernels pre 2.1 will
> not be affected by this bug as they do not follow symlinks when creating
> UNIX domain sockets (Solar Designer pointed this out after trying the
> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
> I'm generalizing).
The same applies to mknod(2), which follows dangling symlinks on
Linux 2.2, but doesn't on 2.0. I've changed the code not to follow
such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.
As I am posting this anyway, -- other changes to the -ow patch for
2.2 since I've announced it here include the real exit_signal fix,
and the TCP sequence number fix I took from 2.2.13pre14. (Speaking
of the latter, it's funny how most of the randomness went into the
wrong place on the stack, and probably remained unnoticed because of
the fairly large and unused at the time "struct tcp_opt". 2.0 isn't
vulnerable. Yet another reason to continue running 2.0.38.)
Signed,
Solar Designer
