Damien Miller
2003-Apr-30 03:39 UTC
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
1. Systems affected: Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Please note that the IBM-supplied OpenSSH packages[1] are not vulnerable. 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). 3. Impact: Privilege escalation by local users. 4. Short-term workaround: Remove any set[ug]id bits from the installed binaries, usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH may also install the 'ssh' binary as setuid. Please note that removing the setuid bit from ssh-keysign will disable hostbased authentication. Portable OpenSSH 3.6.1p2 uses the correct compiler flags to avoid the dangerous linker behavior. 5. Solution: For the problem to be solved, the AIX linker must be changed to only search system paths by default and never search the current directory or user-specified paths for set[ug]id programs. We consider this a serious flaw in IBM's linker, and urge them to fix it immediately. IBM, are you listening? 6. Credits: Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the issue to our attention. Darren Tucker <dtucker at zip.com.au> contributed the fix. [1] http://oss.software.ibm.com/developerworks/projects/opensshi
Darren Tucker
2003-Apr-30 08:29 UTC
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
Damien Miller wrote:> 1. Systems affected: > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).Hi All. For the last year or so I've published OpenSSH binary packages for AIX at [1]. I would like to advise all users of these packages that all versions up to and including the 3.6.1p1 version *are* affected by this and have been removed. A patched version (3.6.1p1-1) is available which addresses this issue. I urge all users of these packages to upgrade or apply the workaround immediately. -Daz. [1] http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Denise Genty
2003-Apr-30 13:53 UTC
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
Damien Miller wrote:> 5. Solution: > > For the problem to be solved, the AIX linker must be changed to > only search system paths by default and never search the current > directory or user-specified paths for set[ug]id programs. > > We consider this a serious flaw in IBM's linker, and urge > them to fix it immediately. IBM, are you listening? >Hey man, we're listening -- I just need to figure out who to contact about the problem. -- Denise M. Genty genty at austin.ibm.com (512)838-8170 - T/L 678-8170 AIX Network Security Development Server Division, pSeries
Valdis.Kletnieks at vt.edu
2003-Apr-30 18:09 UTC
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm at mindrot.org> said:> 1. Systems affected: > > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).This is the same problem as I spotted in Sendmail 8.10. Basically, somewhere, linking is being done with "-L. -lfoo" or similar (in sendmail's case, it was -L../otherdir type stuff). Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib" or similar. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030430/63f017e4/attachment.bin
Shiva Persaud
2003-May-01 18:06 UTC
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taken from IBM's AIX vendor response (http://lists.insecure.org/lists/bugtraq/2000/Mar/0184.html) to this issue when discussed in 2000: <BEGIN> The AIX version 4 linker has always documented the -blibpath option as a mechanism for removing build environment dependencies from a runtime environment. Applications that gain privilege should always use this option to remove library search paths that may not/should not exist on customer machines. The use of relative library paths is also highly discouraged. While they can be useful, the -blibpath option should also be used to not only avoid these types of security issues, but to remove the possibility of finding (or not finding at all) the wrong relative directory, since relative paths at runtime will be based upon the current working directory. These and any other AIX security vulnerabilities can be reported to security-alert at austin.ibm.com. </BEGIN> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+sWGWcnMXzUg7txIRAlPOAJ9MyLxzoesJAlE4z/rUTjUcBALV4gCfZjkW bgslNWzYOTobFpw2Knr0V/0=+nIF -----END PGP SIGNATURE----- Shiva Persaud AIX Security Developer Damien Miller <djm at mindrot.org> To: BUGTRAQ at securityfocus.com, <openssh-unix-dev at mindrot.org>, <openssh-unix-announce at mindrot.org> 04/29/2003 10:39 cc: PM Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior).