Damien Miller
2000-Jun-09 22:56 UTC
OpenSSH's UseLogin option allows remote access with root privilege. (fwd)
-- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ---------- Forwarded message ---------- Date: Fri, 9 Jun 2000 17:06:30 +0200 From: Markus Friedl <markus.friedl at informatik.uni-erlangen.de> To: BUGTRAQ at SECURITYFOCUS.COM, misc at openbsd.org, openssh-unix-dev at mindrot.org Subject: OpenSSH's UseLogin option allows remote access with root privilege. OpenSSH's UseLogin option allows remote access with root privilege. 1. Systems affected: The default installation of OpenSSH is not vulnerable, since UseLogin defaults to 'no'. However, if UseLogin is enabled, all versions of OpenSSH prior to 2.1.1 are affected. 2. Description: If the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The command is run with the same privilege as sshd (usually with root privilege). 3. Impact: If the administrator enables UseLogin users can get privileged access to the server running sshd. 4. Short Term Solution: Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no 5. Solution: Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from www.openssh.com. Appendix: 1. OpenSSH-1.2.2 --- sshd.c.orig Thu Jan 20 18:58:39 2000 +++ sshd.c Tue Jun 6 10:12:00 2000 @@ -2231,6 +2231,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 2. OpenSSH-1.2.3 --- sshd.c.orig Mon Mar 6 22:11:17 2000 +++ sshd.c Tue Jun 6 10:14:07 2000 @@ -2250,6 +2250,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 3. OpenSSH-2.1.0 --- session.c.orig Wed May 3 20:03:07 2000 +++ session.c Tue Jun 6 10:10:50 2000 @@ -744,6 +744,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ EOF