SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(Immunix Issues Fix) OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server
SecurityTracker Alert ID:  1002568
SecurityTracker URL:  http://securitytracker.com/id/1002568
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 18 2001
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.9, 2.9p2
Description:   A vulnerability was reported in OpenSSH's sftp-server subsystem. Under certain configuration conditions, an authorized remote user can gain additional access on the server.

It is reported that when keypairs and the ~/.ssh/authorized_keys2 file are used to enable remote execution of commands via OpenSSH's sshd and sshd is configured to provide sftp service via the sftp-server subsystem, this vulnerability can be triggered. Authorized remote users with access permitted via "restricted" keypairs can apparently gain additional access on the server side. The report notes that, in most cases, sftp can be used, regardless of various restrictions. An authorized remote user can circumvent the authorized_keys2 command= restriction and other restrictions (e.g., obtaining the regular shell access that the server was configured to deny it).

OpenSSH's sftp implementation includes commands to get, replace, delete, change permissions, and change ownership of files/directories.

It is reported that OpenSSH 2.9 and 2.9p2 have the sftp subsystem enabled by default.

Impact:   An authorized remote user with access permitted via 'restricted' keypairs can use the sftp subsystem, regardless of various restrictions. This allows the remote user to access the server and view, replace, and delete files and change permissions and ownership of files and directories on the server.
Solution:   The vendor has released a fix. Precompiled binary packages for Immunix 7.0 are reportedly available at: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm

Source package for Immunix 7.0 is available at:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm

Immunix OS 7.0 md5sums:
53ce20e6fea913265b81fe8ac38da5ab RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
c1262b10f768266c3d9d61199a972974 RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
4b9fdeee5dbd1539aff217fafd6bb14d RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
e3963cb9219dc6f8382f9bb1737a586e RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
d9d77da287fb88f96164b910917650a6 SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm

See the Source Message for the vendor's advisory containing additional directions on how to obtain and apply the appropriate fix.

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Immunix)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 20 2001 OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server



 Source Message Contents

Subject:  [Immunix-announce] Immunix OS update for OpenSSH



--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	openssh
Affected products:	Immunix OS 7.0 and 6.2
Bugs fixed:		immunix/1621, immunix/1706, immunix/1747
Date:			Wed Oct 17 2001
Advisory ID:		IMNX-2001-70-034-01
Author:			Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------

Description:
  This release fixes several issues; two of moderate severity, and one
  of slight severity. First, Peter W found that command restrictions
  placed on keys did not apply to subsystems such as sftp, essentially
  allowing users to bypass the command restrictions placed upon the key.
  Second, the OpenSSH team found that IP source restrictions could be
  bypassed when the authorized_keys file contained both RSA and DSA
  keys. Last, zen-parse found that any file named 'cookies' could be
  deleted remotely.

  While Solar Designer's Openwall kernel patch prevents the third
  problem from being exploited, the first two problems are likely
  exploitable on Immunix OS computers, depending upon the local
  configuration. OpenSSH release 2.9.9p2 fixes all three problems.

  We recommend all users should upgrade OpenSSH. Markus notes in the
  third reference some possible incompatibilities between version
  2.9.9p2 and previous versions.

  References:
  http://www.securityfocus.com/archive/1/188450
  http://www.securityfocus.com/archive/1/214921
  http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100153847110859&w=2

Package names and locations:
  Precompiled binary packages for Immunix 7.0 are available at:
  ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm 
  ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm 
  ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm 
  ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm

  Source package for Immunix 7.0 is available at:
  ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm

Immunix OS 7.0 md5sums:
53ce20e6fea913265b81fe8ac38da5ab  RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
c1262b10f768266c3d9d61199a972974  RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
4b9fdeee5dbd1539aff217fafd6bb14d  RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
e3963cb9219dc6f8382f9bb1737a586e  RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
d9d77da287fb88f96164b910917650a6  SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm


GPG verification:                                                               
  Our public key is available at <http://wirex.com/security/GPG_KEY>.           
  *** NOTE *** This key is different from the one used in advisories            
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@wirex.com. WireX 
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvOPbAACgkQVQcWL60UVMt30QCfQem7yXaAMWQHAQFtsI3s/lXo
x9wAoJZ5+o+bRHdKRPNGWXIMkrIeHIq2
=sDVW
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC