[20860] in bugtraq
Re: SSH allows deletion of other users files...
daemon@ATHENA.MIT.EDU (Jerry Connolly)
Tue Jun 5 14:08:02 2001
Date: Tue, 5 Jun 2001 14:31:42 +0100
From: Jerry Connolly <jerry.connolly@eircom.net>
To: bugtraq@securityfocus.com
Cc: Jason DiCioccio <geniusj@bsd.st>
Message-ID: <20010605143142.D10994@alpha.eng.eircom.net>
Mail-Followup-To: Jerry Connolly <jerry.connolly@eircom.net>,
bugtraq@securityfocus.com, Jason DiCioccio <geniusj@bsd.st>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B1BB27A.1020104@bsd.st>; from geniusj@bsd.st on Mon, Jun 04, 2001 at 09:08:26AM -0700
Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700,
> Also: SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321 -- That comes
> with FreeBSD 4.3-STABLE
> is not vulnerable at first glance. It does not appear to use /tmp files
> as yours does and therefore is not vulnerable.
I tested it on OpenSSH_2.5.2 on OpenBSD and it worked. I had to enable X
forwarding on the client and server before the remote machine would create
(and attempt to unlink() ) the cookies file.
The offending code is in session.c in the xauthfile_cleanup_proc() function
<SNIP>
/*
* Remove local Xauthority file.
*/
void
xauthfile_cleanup_proc(void *ignore)
{
debug("xauthfile_cleanup_proc called");
if (xauthfile != NULL) {
char *p;
unlink(xauthfile);
</SNIP>
where xauthfile points to a buffer containing the name of the cookies file.
Cheers.
--
Jerry Connolly Computer Incident Response Team
jerry.connolly@eircom.net Eircom Multimedia
