[12344] in bugtraq
Re: Fix for ssh-1.2.27 symlink/bind problem
daemon@ATHENA.MIT.EDU (Markus Friedl)
Tue Oct 26 15:27:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991026001902.A32511@folly.informatik.uni-erlangen.de>
Date: Tue, 26 Oct 1999 00:19:02 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991006151112.72CAD459AD@spike.porcupine.org>
On Wed, Oct 06, 1999 at 11:11:12AM -0400, Wietse Venema wrote:
> This is the second SSH vulnerability involving bind() (the other
> one involve port forwarding). They really ought to learn to perform
> operations with the right privilege level.
>
> With a little tooling (such as set_eugid()) it is quite easy.
please note, that ssh dropped support for uid-swapping beginning
with version 1.2.13:
in order to avoid leakage of the private hostkey (e.g. in core-dumps)
when running suid-root, ssh now forks into 2 processes:
(1) the main process is running setuid root and controls:
(2) the 'userfile' process, which runs with the id of the user and
accesses his files (e.g. over NFS)
i think it is the wrong decision to make 'privileged' the standard
and 'non-privileged' the special case.
please note also, that the two free versions of ssh, ossh by
Bjoern Groenvall <bg@sics.se> and OpenSSH from the OpenBSD-project,
do _not_ exhibit this behaviour, since they are derived from ssh-1.2.12,
the last version of the original ssh, free for commercial use.
