SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
SecurityTracker Alert ID:  1002895
SecurityTracker URL:  http://securitytracker.com/id/1002895
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 10 2001
Original Entry Date:  Dec 4 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.1 and prior
Description:   A vulnerability was reported in OpenSSH that may allow a local user to cause arbitrary commands to be executed with root level privileges, giving the user root level access on the system.

The vulnerability reportedly resides in the UseLogin option of OpenSSH. This option is apparently not part of the default configuration. A local user can pass environment variables (e.g. LD_PRELOAD) to the login process, which is run with the same privilege as sshd (typically this is a root level process). This could allow a local user to cause arbitrary commands to be executed with root level privileges, giving the local user root access on the system.

Impact:   A local user could cause arbitrary commands to be executed with root level privileges, giving the local user root access on the system.
Solution:   The vendor has released a fix (OpenSSH 3.0.2). It will be available from the various OpenSSH mirror sites listed at http://www.openssh.com/ shortly. A patch is included in the Source Message.

As a workaround, the vendor recommends that users do not enable UseLogin or, if enabled, disable UseLogin in /etc/sshd_config with the following line:

UseLogin no

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(FreeBSD Issues Fix With Corrected Patch Instructions) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix for FreeBSD that contains corrected patch instructions.
(Red Hat Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix for Red Hat Linux.
(Debian Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
Debian has released a fix.
(HP Issues Fix for HP Secure OS for Linux) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix.
(Caldera Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix.
(Conectiva Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix.
(Mandrake Issues Fix) Re: OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
Mandrake has issued a fix.
(Trustix Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix.
(Turbolinux Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
The vendor has released a fix.
(Apple Issues Fix for Mac OS X) Re: OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
Apple has issued a fix for Mac OS X.



 Source Message Contents

Subject:  OpenSSH 3.0.2 fixes UseLogin vulnerability


OpenSSH 3.0.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Important Changes:
==================

        This release fixes a vulnerability in the UseLogin option
        of OpenSSH.  This option is not enabled in the default
        installation of OpenSSH.

        However, if UseLogin is enabled by the administrator, all
        versions of OpenSSH prior to 3.0.2 may be vulnerable to
        local attacks.

        The vulnerability allows local users to pass environment
        variables (e.g. LD_PRELOAD) to the login process.  The login
        process is run with the same privilege as sshd (usually
        with root privilege).

        Do not enable UseLogin on your machines or disable UseLogin
        again in /etc/sshd_config:
		UseLogin no

We also have received many reports about attacks against the crc32
bug.  This bug has been fixed about 12 months ago in OpenSSH 2.3.0.
However, these attacks cause non-vulnerable daemons to chew a lot
of cpu since the crc32 attack sends a tremendously large amount of
data which must be processed.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.



The following patch fixes the UseLogin vulnerability in OpenSSH 3.0.1 and
earlier releases.

--- session.c	11 Oct 2001 13:45:21 -0000	1.108
+++ session.c	1 Dec 2001 22:14:39 -0000
@@ -875,6 +875,7 @@
 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
 	/* Set custom environment options from RSA authentication. */
+	if (!options.use_login)
 	while (custom_environment) {
 		struct envstring *ce = custom_environment;
 		char *s = ce->s;




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC