[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD rumours

To: Joel Rees <joel@alpsgiken.gr.jp>
Subject: Re: OpenBSD rumours
From: Scott Francis <darkuncle@darkuncle.net>
Date: Thu, 20 Jun 2002 10:28:35 -0700
Cc: misc@openbsd.org
Content-Disposition: inline
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,Joel Rees <joel@alpsgiken.gr.jp>, misc@openbsd.org
References: <20020617172403.A16397@outpost.zedz.net> <200206180924.g5I9OAuk029808@openbsd.cs.colorado.edu> <20020619113234.F253.JOEL@alpsgiken.gr.jp>
User-Agent: Mutt/1.3.25i

On Wed, Jun 19, 2002 at 11:41:51AM +0900, joel@alpsgiken.gr.jp said:
[snip]
> Searching google for "crocodile openbsd GOBBLES security" revealed this
> little gem:
>
> http://gladstone.uoregon.edu/~tgermer/el8.2.txt

uh ... I just tried that local OpenSSH exploit on my 3.1-release box, and it
gave me a rootshell upon login (or _appeared_ to, see below).
----
[sfrancis@somehost:~]$ uname -a
OpenBSD somehost 3.1 GENERIC#59 i386
[sfrancis@somehost:~]$ ssh -V
OpenSSH_3.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
----

running GENERIC. Looking through 3.1 errata, I see nothing mentioning sshd
except for the Kerberos/AFS bug in sshd_config from April 22. Can anybody
else confirm my findings? I haven't grabbed the newest CVS source for ssh
yet. Will be doing so shortly and will report back.

I know 3.2.3 is out. I'm asking here because the 3.1 release shipped with
OpenSSH-3.2, and I have seen no errata entries since then (with the exception
of the one I mentioned above). Upgrading to CVS -stable now ...

*** five minutes of testing later ***

Interesting. Apparently the "exploit" merely fools the shell into thinking
I'm root, without actually granting any uid0 privileges.
----
[sfrancis@somehost:~]$ ssh somehost
sfrancis@somehost's password:
[I have no name!@somehost:~]# vipw
vipw: the passwd file is busy or you cannot lock.
[I have no name!@somehost:~]# whoami
0
[I have no name!@somehost:~]# id
uid=0 gid=0(wheel) groups=1000(sfrancis), 0(wheel)
[I have no name!@somehost:~]# touch bar
[I have no name!@somehost:~]# ls -l bar
-rw-r--r--  1 sfrancis  sfrancis  0 Jun 20 10:22 bar
[I have no name!@somehost:~]# sh
[\u@\h:\w]$
----

So, it's really just window-dressing. :) No cause for alarm - although at
first glance, it looks real enough.

Yet another instance of my trust in the OBSD team being reinforced. Good work
folks.
--
Scott Francis                   darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager          sfrancis@ [work:]         t o n o s . c o m
GPG public key 0xCB33CCA7              illum oportet crescere me autem minui

[demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: OpenBSD rumours
  - From: <rabbit@kotnet.org>

References:
- OpenBSD rumours
  - From: Alex de Joode <usura@zedz.net>
- Re: OpenBSD rumours
  - From: Adam Naguszewski <admin@bmtmc.gda.pl>
- Re: OpenBSD rumours
  - From: Joel Rees <joel@alpsgiken.gr.jp>

Prev by Date: Re: default route.
Next by Date: Re: 1024 cylinder
Prev by thread: Re: OpenBSD rumours
Next by thread: Re: OpenBSD rumours
Index(es):
- Date
- Thread