[20857] in bugtraq
Re: SSH allows deletion of other users files...
daemon@ATHENA.MIT.EDU (Dan Astoorian)
Tue Jun 5 13:31:29 2001
To: Jason DiCioccio <geniusj@bsd.st>
Cc: zen-parse@gmx.net, bugtraq@securityfocus.com
In-reply-to: Your message of "Mon, 04 Jun 2001 12:08:26 EDT."
<3B1BB27A.1020104@bsd.st>
Date: Mon, 4 Jun 2001 17:11:34 -0400
From: Dan Astoorian <djast@cs.toronto.edu>
Message-Id: <01Jun4.171137edt.453133-3885@jane.cs.toronto.edu>
On Mon, 04 Jun 2001 12:08:26 EDT, Jason DiCioccio writes:
>
> Also: SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321 -- That comes
> with FreeBSD 4.3-STABLE
> is not vulnerable at first glance. It does not appear to use /tmp files
> as yours does and therefore is not vulnerable.
My testing indicates that OpenSSH 2.3.0p1 *is* vulnerable if X11
forwarding is permitted. However, the /tmp/ssh-*/cookie file is not
created/removed unless X11 forwarding is enabled for the connection.
Note that some vendors ship OpenSSH with X11 forwarding disabled by
default *in the client*, which may be why you did not observe the
problem on FreeBSD. Be sure to use the "-X" option to ssh to enable X11
forwarding in the client, and make sure you're testing from a client
where $DISPLAY is pointing at an X server. The $XAUTHORITY environment
variable will give the pathname to the file which is unlink()'d when the
connection is closed.
(For those who merely tried the literal commands submitted by
zen-parse@gmx.net, note also that the directory to be 'rm -r'd isn't
simply "/tmp/ssh-XXW9hNY9", but will depend on the value of that
XAUTHORITY variable; it will be different for each ssh connection.)
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast@cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
