SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   SSH Vendors:   SSH Communications
SSH Communications SSH Secure Shell Process Grouping Flaw in setsid() May Let Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1005703
SecurityTracker URL:  http://securitytracker.com/id/1005703
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 25 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.13 - 3.2.1
Description:   A vulnerability was reported in SSH Secure Shell for UNIX/Linux from SSH Communications. A remote or local authenticated user could gain elevated privileges on the system.

It is reported that, when used in non-interactive connections, a flaw in the process grouping of SSH Secure Shell processes may allow malicious activity. When a command is executed without a pty (including running commands and subsystems), the resulting child process will reportedly remain in the process group of the master process.

An authenticated user can set the login name to an arbitrary name (e.g., "root"). Then, any application that trusts the login name and do not check the user ID (uid) or effective user ID (euid) could be spoofed. This can be exploited on BSD variants to send messages to syslog and other applications with the wrong login name.

The vendor notes that an exploit that forges log entries is known to exist. However, the vendor is not aware of any known root exploits at this time. A root exploit may be possible if, for example, a set user id (setuid) application relies on the output of the getlogin() function, according to the report.

SSH credits Logan Gabriel with discovering this flaw.

Impact:   A remote or local authenticated user may be able to obtain elevated privileges on the system.
Solution:   The vendor recommends that you upgrade to SSH Secure Shell version 3.1.5 or 3.2.2 at the FTP sites listed below. For the commercial versions, a valid license_ssh2.dat is required for all the binaries. Depending on the license file, the vendor states that the Unix binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for Servers product.

Updating SSH Secure Shell from 3.1.x to 3.1.5:

AIX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/hp-ux/
Linux: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/solaris/

Updating SSH Secure Shell from 3.2.x to 3.2.2

Users with a commercial license for a 3.2.x product can reportedly install the 3.2.2
version binaries on top of the old 3.2.x ones.

AIX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/hp-ux/
Linux: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/solaris/

Non-commercial source code is available at:

ftp://ftp.ssh.com/pub/ssh/

Vendor URL:  www.ssh.com/company/newsroom/article/286/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  SSH Secure Shell Unix server setsid() function call vulnerability


http://www.ssh.com/company/newsroom/article/286/

Affected Systems:  SSH Secure Shell for Servers and SSH Secure Shell for Workstations,
versions 2.0.13 - 3.2.1.  (UNIX/Linux)

SSH.com issued a security advisory warning of a vulnerability in the SSH Secure Shell Unix
server setsid() function call.  A remote authenticated user may possibly be able to obtain
administrator privileges on NetBSD UNIX variants.

It is reported that, when used in non-interactive connections, a flaw in the process
grouping of SSH Secure Shell processes may allow malicious activity.  When a command is
executed without a pty (including running commands and subsystems), the resulting child
process will reportedly remain in the process group of the master process.

An authenticated user can set the login name to an arbitrary name (e.g., "root").  Then,
any application that trusts the login name and do not check the user ID (uid) or effective
user ID (euid) could be spoofed.  This can be exploited on BSD variants to send messages
to syslog and other applications with the wrong login name.  

The vendor notes that an exploit that forges log entries is known to exist.  However, the
vendor is not aware of any known root exploits at this time.  A root exploit may be
possible if, for example, a set user id (setuid) application relies on the output of the
getlogin() function, according to the report.

Solution:

The vendor recommends that you upgrade to SSH Secure Shell version 3.1.5 or 3.2.2 at the
FTP sites listed below.  For the commercial versions, a valid license_ssh2.dat is required
for all the binaries.  Depending on the license file, the vendor states that the Unix
binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for
Servers product.

Updating SSH Secure Shell from 3.1.x to 3.1.5:

AIX:     ftp://ftp.ssh.com/priv/secureshell/h7cq89th/aix/
HP-UX:   ftp://ftp.ssh.com/priv/secureshell/h7cq89th/hp-ux/
Linux:   ftp://ftp.ssh.com/priv/secureshell/h7cq89th/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/solaris/

Updating SSH Secure Shell from 3.2.x to 3.2.2

Users with a commercial license for a 3.2.x product can reportedly install the 3.2.2
version binaries on top of the old 3.2.x ones.

AIX:     ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/aix/
HP-UX:   ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/hp-ux/
Linux:   ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/solaris/

Non-commercial source code is available at:

ftp://ftp.ssh.com/pub/ssh/

SSH credits Logan Gabriel with discovering this flaw.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC