[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenBSD rumours
On Wed, Jun 19, 2002 at 11:41:51AM +0900, firstname.lastname@example.org said:
> Searching google for "crocodile openbsd GOBBLES security" revealed this
> little gem:
uh ... I just tried that local OpenSSH exploit on my 3.1-release box, and it
gave me a rootshell upon login (or _appeared_ to, see below).
[sfrancis@somehost:~]$ uname -a
OpenBSD somehost 3.1 GENERIC#59 i386
[sfrancis@somehost:~]$ ssh -V
OpenSSH_3.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
running GENERIC. Looking through 3.1 errata, I see nothing mentioning sshd
except for the Kerberos/AFS bug in sshd_config from April 22. Can anybody
else confirm my findings? I haven't grabbed the newest CVS source for ssh
yet. Will be doing so shortly and will report back.
I know 3.2.3 is out. I'm asking here because the 3.1 release shipped with
OpenSSH-3.2, and I have seen no errata entries since then (with the exception
of the one I mentioned above). Upgrading to CVS -stable now ...
*** five minutes of testing later ***
Interesting. Apparently the "exploit" merely fools the shell into thinking
I'm root, without actually granting any uid0 privileges.
[sfrancis@somehost:~]$ ssh somehost
[I have no name!@somehost:~]# vipw
vipw: the passwd file is busy or you cannot lock.
[I have no name!@somehost:~]# whoami
[I have no name!@somehost:~]# id
uid=0 gid=0(wheel) groups=1000(sfrancis), 0(wheel)
[I have no name!@somehost:~]# touch bar
[I have no name!@somehost:~]# ls -l bar
-rw-r--r-- 1 sfrancis sfrancis 0 Jun 20 10:22 bar
[I have no name!@somehost:~]# sh
So, it's really just window-dressing. :) No cause for alarm - although at
first glance, it looks real enough.
Yet another instance of my trust in the OBSD team being reinforced. Good work
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
[demime 0.98d removed an attachment of type application/pgp-signature]