Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.164 -- FreeBSD-SA-00:30.openssh OpenSSH UseLogin directive permits remote root access 7 July 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSH Vendor: FreeBSD Operating System: FreeBSD Linux Unix Platform: N/A Impact: Root Compromise Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:30 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits remote root access Category: core Module: openssh Announced: 2000-07-05 Credits: Markus Friedl <markus@OpenBSD.org> Affects: FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE and 5.0-CURRENT prior to the correction date Corrected: 2000-06-11 Vendor status: Disclosed vulnerability. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 (and SSH2 in later versions) secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. II. Problem Description The sshd server is typically invoked as root so it can manage general user logins. OpenSSH has a configuration option, not enabled by default ("UseLogin") which specifies that user logins should be done via the /usr/bin/login command instead of handled internally. OpenSSH also has a facility to enable remote users to execute commands on the server non-interactively. In this case, the UseLogin directive fails to correctly drop root privileges before executing the command, meaning that remote users without root access can execute commands on the local system as root. Note that with the default configuration, OpenSSH is not vulnerable to this problem, and this option is not needed for the vast majority of systems. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and you either have the international RSA libraries or installed the RSAREF port. III. Impact If your sshd configuration was modified to enable the 'UseLogin' directive then remote users with SSH access to the local machine can execute arbitrary commands as root. IV. Workaround Set 'UseLogin No' in your /etc/ssh/sshd_config file and restart the SSH server by issuing the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to respawn and reread its configuration file, and should not interfere with existing SSH sessions. Note that a bug in sshd (discovered during preparation of this advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as of 2000-07-03) means that it will fail to restart correctly unless it was originally invoked with an absolute path (i.e. "/usr/sbin/sshd" instead of "sshd"). Therefore you should verify that the server is still running after you deliver the HUP signal: # ps -p `cat /var/run/sshd.pid` PID TT STAT TIME COMMAND 2110 ?? Ss 0:00.97 /usr/sbin/sshd If the server is no longer running, restart it by issuing the following command as root: # /usr/sbin/sshd V. Solution One of the following: 1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH than was in 4.0-RELEASE, version 2.1, which provides enhanced functionality including support for the SSH2 protocol and DSA keys. 2) Save this advisory as a file and extract the relevant patch for your version of FreeBSD, or download the relevant patch and detached PGP signature from the following location: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch/or/advisory # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.sbin/sshd # make all install # kill -HUP `cat /var/run/sshd.pid` See the note in the "Workarounds" section about verifying that the sshd server is still running. VI. Patch Index: sshd.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v retrieving revision 1.6 diff -u -r1.6 sshd.c --- sshd.c 2000/03/09 14:52:31 1.6 +++ sshd.c 2000/07/04 03:40:46 @@ -2564,7 +2564,13 @@ char *argv[10]; #ifdef LOGIN_CAP login_cap_t *lc; +#endif + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + +#ifdef LOGIN_CAP lc = login_getpwclass(pw); if (lc == NULL) lc = login_getclassbyname(NULL, pw); - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWPAn1UuHi5z0oilAQEt8QP+KlhsdMVqBjI6mhO/opnpIr+vFo5zxu4R rhPwSfyXf/ufRPcJbiQFjBlHwQWaOnt2N3w6MJYI4qNySPHmqIa1Cnxv8Em0K/ke wdFr8sXOZiqgBbu1aJRSsB+5Vc/TQFdHcY/QGwpUIUGYkDvEYcp46iDpQgiS41BW 9hRgZIgcigo= =nEJ0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXT7Ch9+71yA2DNAQEYLAP/Re8SlFFybvcMLWhvUxtVE9y8auh5odYB AeP9WnZ4fgskJ6D2QpqBFm6bh+w9OLeUbVhHkTlu5TgkjbyoPdiZO3d4kqjNa10Q wwyUy6GnNJKTV6GVxddnkODj9QH7WanzIrfns9jkVyHK8EXSoMxLuNyBiB8VSIDm EILXy5p9kpg= =Ttwk -----END PGP SIGNATURE-----