[18615] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Andrew Bartlett)
Mon Jan 15 13:11:48 2001
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------994195E7D9AA49FA53761B8D"
Message-Id: <3A5FBBE1.4DFDC736@pcug.org.au>
Date: Sat, 13 Jan 2001 13:22:25 +1100
Reply-To: abartlet@pcug.org.au
From: Andrew Bartlett <abartlet@PCUG.ORG.AU>
X-To: Matt Zimmerman <mdz@CSH.RIT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------994195E7D9AA49FA53761B8D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Matt Zimmerman wrote:
>
> On Thu, Jan 11, 2001 at 01:42:52AM +0200, Ari Saastamoinen wrote:
>
> > On Wed, 10 Jan 2001, Pedro Margate wrote:
> >
> > > install the ssh binary as suid root by default. This can be disabled
> > > during configuration or after the fact with chmod. I believe that would
> >
> > That exploit can use any suid root program which resolves host names. (For
> > example ping and traceroute) So you cannot fix that glibc explot only by
> > unsetting SUID bit of ssh client.
>
> Or more properly, an suid root program which resolves host names _while still
> holding root privileges_. ping from netkit and traceroute from LBNL do not
> fall into this category. fping from SATAN, however, does.
>
As does OpenSSH, somthing that my patch (attached) fixes. The patch is
for OpenSSH 2.3.0p1. Special thanks to Markus Friedl
(Markus.Friedl@informatik.uni-erlangen.de) for his help/comments on the
patches. Tested on RedHat 7.0.
> --
> - mdz
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
Andrew Bartlett
abartlet@pcug.org.au
--------------994195E7D9AA49FA53761B8D
Content-Type: text/plain; charset=us-ascii;
name="ssh.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ssh.diff"
--- ssh.orig Sat Jan 13 12:51:42 2001
+++ ssh.c Sat Jan 13 12:52:02 2001
@@ -611,12 +611,10 @@
rsh_connect(host, options.user, &command);
fatal("rsh_connect returned");
}
- /* Restore our superuser privileges. */
- restore_uid();
/*
- * Open a connection to the remote host. This needs root privileges
- * if rhosts_{rsa_}authentication is enabled.
+ * Open a connection to the remote host. This regains
+ * root privilages as required.
*/
ok = ssh_connect(host, &hostaddr, options.port,
@@ -625,6 +623,9 @@
!options.rhosts_rsa_authentication,
original_real_uid,
options.proxy_command);
+
+ /* Restore our superuser privileges. */
+ restore_uid();
/*
* If we successfully made the connection, load the host private key
--------------994195E7D9AA49FA53761B8D
Content-Type: text/plain; charset=us-ascii;
name="sshconnect.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="sshconnect.diff"
--- sshconnect.orig Sat Jan 13 12:51:49 2001
+++ sshconnect.c Sat Jan 13 12:52:01 2001
@@ -96,6 +96,7 @@
char *argv[10];
/* Child. Permanently give up superuser privileges. */
+ restore_uid();
permanently_set_uid(original_real_uid);
/* Redirect stdin and stdout. */
@@ -155,21 +156,22 @@
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
+ /* Restore our superuser privileges. */
+ restore_uid();
sock = rresvport_af(&p, family);
+ /* Back to normal user. */
+ temporarily_use_uid(original_real_uid);
if (sock < 0)
error("rresvport: af=%d %.100s", family, strerror(errno));
else
debug("Allocated local port %d.", p);
} else {
/*
- * Just create an ordinary socket on arbitrary port. We use
- * the user's uid to create the socket.
+ * Just create an ordinary socket on arbitrary port.
*/
- temporarily_use_uid(original_real_uid);
sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
- restore_uid();
}
return sock;
}
@@ -248,11 +250,7 @@
/* Create a socket for connecting. */
sock = ssh_create_socket(original_real_uid,
-#ifdef HAVE_CYGWIN
!anonymous && port < IPPORT_RESERVED,
-#else
- !anonymous && geteuid() == 0 && port < IPPORT_RESERVED,
-#endif
ai->ai_family);
if (sock < 0)
continue;
@@ -261,15 +259,12 @@
* hope that it will help with tcp_wrappers showing
* the remote uid as root.
*/
- temporarily_use_uid(original_real_uid);
if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
/* Successful connection. */
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
- restore_uid();
break;
} else {
debug("connect: %.100s", strerror(errno));
- restore_uid();
/*
* Close the failed socket; there appear to
* be some problems when reusing a socket for
--------------994195E7D9AA49FA53761B8D--
