[18546] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Jerry Connolly)
Wed Jan 10 21:25:16 2001
Mail-Followup-To: Jerry Connolly <jerry.connolly@eircom.net>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010110234752.A32228@alpha.eng.eircom.net>
Date: Wed, 10 Jan 2001 23:47:52 +0000
Reply-To: Jerry Connolly <jerry.connolly@EIRCOM.NET>
From: Jerry Connolly <jerry.connolly@EIRCOM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSI.4.05L.10101101335100.24087-100000@mail.eclipse.net>;
from pedro@ECLIPSE.NET on Wed, Jan 10, 2001 at 01:40:39PM -0500
Pedro Margate said the following on Wed, Jan 10, 2001 at 01:40:39PM -0500,
> The implementations of ssh that I'm familiar with (ssh and OpenSSH)
> install the ssh binary as suid root by default. This can be disabled
> during configuration or after the fact with chmod. I believe that would
> prevent this exploit from operating. I've turned off the suid bit on
> every ssh installation I've performed and it seems to work the same. I'm
> not sure what reason ssh has to be suid root, nobody I've asked has any
> idea.
If you have the following options set in ssh_config
RhostsAuthentication yes
RhostsRSAAuthentication yes
UsePrivilegedPort yes
then ssh will connect from a privileged port, which requires root privileges.
Jerry Connolly, Eircom.net CIRT
--
ejrry^[bxpZZ
