[9211] in bugtraq
Re: SSH 1.x and 2.x Daemon
daemon@ATHENA.MIT.EDU (Yutaka OIWA)
Mon Jan 25 16:17:59 1999
Date: Tue, 26 Jan 1999 01:16:55 +0900
Reply-To: yutaka@OIWA.SHIBUYA.TOKYO.JP
From: Yutaka OIWA <yutaka@OIWA.SHIBUYA.TOKYO.JP>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 23 Jan 1999 17:06:44 JST."
<000601be471c$aa26abb0$28b50318@noc.plfld1.nj.home.com>
>> On Sat, 23 Jan 1999 17:06:44 -0500, KuRuPTioN <kuruption@CHA0S.COM> said:
KuRuPTioN> There seems to be incomplete code in the SSH daemon in both versions 1.2.27
KuRuPTioN> and 2.0.11 (only tested). The bug simply allows users who with expired
KuRuPTioN> accounts (in /etc/shadow) to continue to login even though other such
KuRuPTioN> services such as ftp and telnet deny access. Here is the log using 1.2.27
KuRuPTioN> (but the same happens with 2.0.11).
It seems to be a bug of configure script. As my quick observation
for source code, possibly-vulnerable environment is
- sshd 1.2.26 on
* Linux, Irix5, Irix6, Ultrix, Convex
- sshd 2.0.11 on
* Almost all platform with account expiration and without
usersec.h(?)
To check whether the sshd is vulnerable, execute the command
strings sshd | grep expire
and see whether the message for ACCOUNT expiration is exist.
(There may be a message for password expiration)
Adding
#define HAVE_STRUCT_SPWD_EXPIRE 1
to appropriate header file (do after ./configure) may solve the
problem (sorry, not tested).
Detail:
In ssh 1.2.26, checking shadow passwd existence is bypassed on
some platforms. However, checking sp_expire existence is done
in the bypassed section of configure script.
In ssh 2.0.11, no checking seems to be done for sp_expire. (true?)
--
Yutaka Oiwa Yonezawa Lab., Department of Information Science,
Faculty of Science, University of Tokyo.
Email: <oiwa@is.s.u-tokyo.ac.jp>, <yutaka@oiwa.shibuya.tokyo.jp>
PGP fingerprint = C9 8D 5C B8 86 ED D8 07 EA 59 34 D8 F4 65 53 61
