Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.531 -- FreeBSD-SA-01:63.openssh [REVISED]
OpenSSH UseLogin directive permits privilege escalation
11 December 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Vendor: FreeBSD
Operating System: FreeBSD 4.3-RELEASE
FreeBSD 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Impact: Root Compromise
Execute Arbitrary Code/Commands
Access Required: Existing Account
Ref: ESB-2001.520
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:63 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH UseLogin directive permits privilege escalation
[REVISED]
Category: core/ports
Module: openssh
Announced: 2001-12-02
Revised: 2001-12-06
Credits: Markus Friedl <markus@OpenBSD.org>
Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
2001-12-03 00:54:18 UTC (RELENG_4_4)
2001-12-03 00:54:54 UTC (RELENG_4_3)
2001-12-02 06:52:40 UTC (openssh port)
FreeBSD only: NO
0. Revision History
v1.0 2001-12-02 Initial release
v1.1 2001-07-31 Corrected patch instructions
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.
II. Problem Description
OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication. These environmental variables are specified in the
`authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server. This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.
However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges. Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.
All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
However, the OpenSSH server is configured to not use the system login
program (`UseLogin no') by default, and is therefore not vulnerable
unless the system administrator has changed this setting.
In addition, there are two versions of OpenSSH included in the
ports collection. One is ports/security/openssh, which is the
BSD-specific version of OpenSSH. Versions of this port prior to
openssh-3.0.2 exhibit the problem described above. The other is
ports/security/openssh-portable, which is not vulnerable, even if the
server is set to `UseLogin yes'.
III. Impact
Hostile but otherwise legitimate users that can successfully
authenticate using public key authentication may cause /usr/bin/login
to run arbitrary code as the superuser.
If you have not enabled the 'UseLogin' directive in the sshd
configuration file, you are not vulnerable to this problem.
IV. Workaround
Doing one of the following will eliminate the vulnerability:
1) Configure sshd to not use the system login program. Edit the
server configuration file and change any `UseLogin' directives
to `UseLogin no'. This is the preferred workaround.
2) If for whatever reason, disabling `UseLogin' is not possible,
then one can instead disable public key authentication. Edit the
server configuration file and change any `RSAAuthentication',
`DSAAuthentication', or `PubKeyAuthentication' directives
to `RSAAuthentication no', `DSAAuthentication no', and
`PubKeyAuthentication no', respectively.
For sshd included in the base system (/usr/bin/sshd), the
server configuration file is `/etc/ssh/sshd_config'. For sshd
from the ports collection, the server configuration file is
`/usr/local/etc/sshd_config'.
After modifying the sshd configuration file, the sshd daemon must be
restarted by executing the following command as root:
# kill -HUP `cat /var/run/sshd.pid`
V. Solution
1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or
4.4-STABLE after the correction date, or patch your current system
source code and rebuild.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD
4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the
correction date. It may or may not apply to older, unsupported
versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc
Execute the following commands as root:
# cd /usr/src/crypto/openssh
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
3) FreeBSD 4.4-RELEASE systems:
An experimental upgrade package is available for users who wish to
provide testing and feedback on the binary upgrade process. This
package may be installed on FreeBSD 4.4-RELEASE systems only, and is
intended for use on systems for which source patching is not practical
or convenient.
If you use the upgrade package, feedback (positive or negative) to
security-officer@FreeBSD.org is requested so we can improve the
process for future advisories.
During the installation procedure, backup copies are made of the files
which are replaced by the package. These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patched state. In addition, the package automatically restarts
the sshd daemon if it is running.
Three versions of the upgrade package are available, depending on
whether or not the system has the kerberosIV or kerberos5
distributions installed.
3a) For systems without kerberosIV or kerberos5 installed:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-01.63.tgz
3b) For systems with kerberosIV only installed:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberosIV-01.63.tgz
3c) For systems with kerberos5 only installed:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberos5-01.63.tgz
3d) For systems with both kerberosIV and kerberos5 installed:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc
Verify the detached PGP signature using your PGP utility.
# pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz
[Ports collection]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.
3) Download a new port skeleton for the openssh port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
Path Revision
Branch
- - -------------------------------------------------------------------------
src/crypto/openssh/session.c
HEAD 1.18
RELENG_4 1.4.2.11
RELENG_4_4 1.4.2.8.4.1
RELENG_4_3 1.4.2.8.2.1
src/crypto/openssh/version.h
HEAD 1.9
RELENG_4 1.1.1.1.2.7
RELENG_4_4 1.1.1.1.2.5.2.1
RELENG_4_3 1.1.1.1.2.4.2.1
ports/security/openssh/Makefile 1.79
- - -------------------------------------------------------------------------
For OpenSSH included in the base system, there is a version string
indicating which FreeBSD localizations are available. The following
table lists the version strings for each branch which include this
security fix:
Branch Version string
- - -------------------------------------------------------------------------
HEAD OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202
- - -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the following
command:
% /usr/sbin/sshd -?
The version string is also displayed when a client connects to the
server.
VII. References
<URL:http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c#rev1.110>
- -----BEGIN PGP SIGNATURE-----
Comment: http://www.nectar.cc/pgp
iQCVAwUBPBC1VlUuHi5z0oilAQHNQAQAhKLEjAAb5W7HMnqbNpKJWSsPQKDuspYB
N76xiTuzNmS1EFQXgoTlCFD3GZtXsBiiXImxUemyvCA+7yqhhVJIoz43JUa6ts/y
1/KES4LVO1PS/HMBgaywbX5zdtdUzMe1kBVkE6FJeMHQN6RFdOPKe9a2Kx41GlvC
9naCzrq/Pg4=
=w2iN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPBXelih9+71yA2DNAQGuAgP/X/JpQPPDvZFkzD5kaqHBpTJ6VQhklwEt
tuNRVqeai9ROBvY4UINX5IkWVhMQwOwVtr7PaH+r0VkInQYfBl/Y9px/KJ1bD4oM
HXOMdcpIPc7v8EJhzG1CpQB+D4X2hBBLrdET3ndhlagpNCoFgcGIoiprzVYrX7x9
cIWU1LirlfM=
=gUdC
-----END PGP SIGNATURE-----