Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH allows deletion of other users files...
From: Dan Astoorian <djast () cs toronto edu>
Date: Mon, 4 Jun 2001 17:11:34 -0400

On Mon, 04 Jun 2001 12:08:26 EDT, Jason DiCioccio writes:

Also: SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321 -- That comes 
with FreeBSD 4.3-STABLE
is not vulnerable at first glance.  It does not appear to use /tmp files 
as yours does and therefore is not vulnerable.

My testing indicates that OpenSSH 2.3.0p1 *is* vulnerable if X11
forwarding is permitted.  However, the /tmp/ssh-*/cookie file is not
created/removed unless X11 forwarding is enabled for the connection.

Note that some vendors ship OpenSSH with X11 forwarding disabled by
default *in the client*, which may be why you did not observe the
problem on FreeBSD.  Be sure to use the "-X" option to ssh to enable X11
forwarding in the client, and make sure you're testing from a client
where $DISPLAY is pointing at an X server.  The $XAUTHORITY environment
variable will give the pathname to the file which is unlink()'d when the
connection is closed.

(For those who merely tried the literal commands submitted by
zen-parse () gmx net, note also that the directory to be 'rm -r'd  isn't
simply "/tmp/ssh-XXW9hNY9", but will depend on the value of that
XAUTHORITY variable; it will be different for each ssh connection.)

Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast () cs toronto edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]