[12063] in bugtraq
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
daemon@ATHENA.MIT.EDU (Eric Griffis)
Thu Sep 30 13:23:54 1999
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0038_01BF09DF.A68D5360"
Message-Id: <003b01bf0a1a$550ce880$0701a8c0@grayface.commontech.com>
Date: Tue, 28 Sep 1999 18:31:16 -0700
Reply-To: Eric Griffis <egriffis@COMMONTECH.COM>
From: Eric Griffis <egriffis@COMMONTECH.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hello, All:
First-time post, but I think it's well worth it. Since nobody has directly
posted an implementable resolution, I'm sending 2 simple patches to repair
the newchannels.c and ssh-agent.c files, which are responsible for writing
to the symlink on vulnerable systems. I agree that this is definitely more
of a system issue and all, but the fix to ssh is a real simple one (which
raises the question 'why didn't SSH Comm. just fix it?'), and I haven't
looked at kernel source since 0.something. So, here's what they do:
About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c
(ssh-agent1) do an lstat on the socket filename and fail auth forwarding
(with a syslogged error) if a symbolic link is found.
I have no idea how ethical/legal/moral/whatever posting these patches are,
but I figure it's better than enduring denial-of-service, and I did search
high and low for any sort of warnings not to. If I've done anything
inappropriate here, please let me know.
Eric Griffis
egriffis@commontech.com
P.S- real simple install for these. Regular old diff patches. Just cd into
ssh-1.2.27 source directory and type:
patch < /path/to/patch-file
Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over
your current sshd1 and ssh-agent1 files.
-----Original Message-----
From: Solar Designer <solar@FALSE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
Date: Tuesday, September 28, 1999 1:41 PM
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
>Hi,
>
>> This is from a post I made to BugTraq on September 17, entitled
>> "A few bugs...". If you're running Linux, it appears kernels pre 2.1
will
>> not be affected by this bug as they do not follow symlinks when creating
>> UNIX domain sockets (Solar Designer pointed this out after trying the
>> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
>> I'm generalizing).
>
>The same applies to mknod(2), which follows dangling symlinks on
>Linux 2.2, but doesn't on 2.0. I've changed the code not to follow
>such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.
>
>As I am posting this anyway, -- other changes to the -ow patch for
>2.2 since I've announced it here include the real exit_signal fix,
>and the TCP sequence number fix I took from 2.2.13pre14. (Speaking
>of the latter, it's funny how most of the randomness went into the
>wrong place on the stack, and probably remained unnoticed because of
>the fairly large and unused at the time "struct tcp_opt". 2.0 isn't
>vulnerable. Yet another reason to continue running 2.0.38.)
>
>Signed,
>Solar Designer
------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: application/octet-stream;
name="patch-newchannels.c-ssh-1.2.27"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="patch-newchannels.c-ssh-1.2.27"
*** newchannels.c.old Tue Sep 28 18:26:34 1999
--- newchannels.c Tue Sep 28 18:13:43 1999
*************** int auth_input_request_forwarding(struct
*** 2260,2264 ****
int sock, newch, directory_created;
struct sockaddr_un sunaddr;
! struct stat st, st2, parent_st;
mode_t old_umask;
char *last_dir;
--- 2260,2264 ----
int sock, newch, directory_created;
struct sockaddr_un sunaddr;
! struct stat st, st2, st3, parent_st;
mode_t old_umask;
char *last_dir;
*************** int auth_input_request_forwarding(struct
*** 2413,2416 ****
--- 2413,2425 ----
old_umask =3D =
umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
=20
+ /* Check for dangling symlink, or other funny stuff */
+ if (lstat(sunaddr.sun_path, &st3) =3D=3D 0)
+ {
+ error("* Remote error: lstat %.100s problem: symlink exists!",
+ sunaddr.sun_path);
+ packet_send_debug("* Remote error: Authentication fowarding =
disabled.");
+ return 0;
+ }
+=20
if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < =
0)
packet_disconnect("Agent socket bind failed: %.100s", =
strerror(errno));
------=_NextPart_000_0038_01BF09DF.A68D5360
Content-Type: application/octet-stream;
name="patch-ssh-agent.c-ssh-1.2.27"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="patch-ssh-agent.c-ssh-1.2.27"
*** ssh-agent.c.old Tue Sep 28 18:26:44 1999
--- ssh-agent.c Tue Sep 28 18:18:46 1999
*************** int main(int ac, char **av)
*** 746,749 ****
--- 746,759 ----
sunaddr.sun_family = AF_UNIX;
strncpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
+
+ /* Check for dangling symlink, or other funny stuff */
+ if (lstat(sunaddr.sun_path, &st) == 0)
+ {
+ fprintf(stderr,
+ "lstat %.100s problem: symlink exists!",
+ sunaddr.sun_path);
+ goto fail_socket_setup;
+ }
+
if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
{
------=_NextPart_000_0038_01BF09DF.A68D5360--
