COMMAND
OpenSSH
SYSTEMS AFFECTED
See below
PROBLEM
Markus Friedl found following. OpenSSH's UseLogin option allows
remote access with root privilege. The default installation of
OpenSSH is not vulnerable, since UseLogin defaults to 'no'.
However, if UseLogin is enabled, all versions of OpenSSH prior to
2.1.1 are affected.
If the UseLogin option is enabled the OpenSSH server (sshd) does
not switch to the uid of the user logging in. Instead, sshd
relies on login(1) to do the job. However, if the user specifies
a command for remote execution login(1) cannot be used and sshd
fails to set the correct user id. The command is run with the
same privilege as sshd (usually with root privilege).
If the administrator enables UseLogin users can get privileged
access to the server running sshd.
SOLUTION
Do not enable UseLogin on your machines or disable UseLogin again
in /etc/sshd_config:
UseLogin no
Upgrade to OpenSSH-2.1.1 or apply the attached patch (2.1.2):
--- sshd.c.orig Thu Jan 20 18:58:39 2000
+++ sshd.c Tue Jun 6 10:12:00 2000
@@ -2231,6 +2231,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
OpenSSH-1.2.3:
--- sshd.c.orig Mon Mar 6 22:11:17 2000
+++ sshd.c Tue Jun 6 10:14:07 2000
@@ -2250,6 +2250,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
OpenSSH-2.1.0
--- session.c.orig Wed May 3 20:03:07 2000
+++ session.c Tue Jun 6 10:10:50 2000
@@ -744,6 +744,10 @@
struct stat st;
char *argv[10];
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
f = fopen("/etc/nologin", "r");
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
The patch above is for the OpenBSD version, not the portable
version. Updated Red Hat Linux packages are now available at
ftp://ftp.redhat.de/pub/rh-addons/security/current
Direct download links to updated packages for Conectiva Linux:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm
: 2000-06-11
For FreeBSD set 'UseLogin No' in your /etc/ssh/sshd_config file
and restart the SSH server by issuing the following command as
root:
# kill -HUP `cat /var/run/sshd.pid`
This will cause the parent process to respawn and reread its
configuration file, and should not interfere with existing SSH
sessions. Note that a bug in sshd (discovered during preparation
of this advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as
of 2000-07-03) means that it will fail to restart correctly unless
it was originally invoked with an absolute path (i.e.
"/usr/sbin/sshd" instead of "sshd"). Therefore you should verify
that the server is still running after you deliver the HUP signal:
# ps -p `cat /var/run/sshd.pid`
PID TT STAT TIME COMMAND
2110 ?? Ss 0:00.97 /usr/sbin/sshd
If the server is no longer running, restart it by issuing the
following command as root:
# /usr/sbin/sshd
Solution is one of the following:
1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the
correction date. Note that these versions of FreeBSD contain
a newer version of OpenSSH than was in 4.0-RELEASE, version
2.1, which provides enhanced functionality including support
for the SSH2 protocol and DSA keys.
2) Save this advisory as a file and extract the relevant patch for
your version of FreeBSD, or download the relevant patch and
detached PGP signature from the following location:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc
Verify the detached signature using your PGP utility.
Issue the following commands as root:
# cd /usr/src/crypto/openssh
# patch -p < /path/to/patch/or/advisory
# cd /usr/src/secure/lib/libssh
# make all
# cd /usr/src/secure/usr.sbin/sshd
# make all install
# kill -HUP `cat /var/run/sshd.pid`
Patch:
Index: sshd.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v
retrieving revision 1.6
diff -u -r1.6 sshd.c
--- sshd.c 2000/03/09 14:52:31 1.6
+++ sshd.c 2000/07/04 03:40:46
@@ -2564,7 +2564,13 @@
char *argv[10];
#ifdef LOGIN_CAP
login_cap_t *lc;
+#endif
+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
+#ifdef LOGIN_CAP
lc = login_getpwclass(pw);
if (lc == NULL)
lc = login_getclassbyname(NULL, pw);