[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD rumours

To: <misc@openbsd.org>
Subject: Re: OpenBSD rumours
From: <rabbit@kotnet.org>
Date: Thu, 20 Jun 2002 21:01:39 +0200
References: <20020617172403.A16397@outpost.zedz.net> <200206180924.g5I9OAuk029808@openbsd.cs.colorado.edu> <20020619113234.F253.JOEL@alpsgiken.gr.jp> <20020620172834.GC98322@darkuncle.net>

lol, that so-called "ssh-exploit" is ridiculous...

<begin the code>
#include <stdio.h>

int getuid(void) { return (0); }
int getgid(void) { return (0); }
int geteuid(void) { return (0); }
int getegid(void) { return (0); }
<end the code>

Even I, someone with totally nihil knowledge of C, can figure out that
this just redeclares some functions bash e.a. use to know who is running
them, and thus just fool the shell...
Well, this looks like they just made up that "exploit" to have a good
laugh with all those script kiddies. Well, they sure have a sense of
humor *rolls*eyes*

 - rabbit

----- Original Message -----
From: "Scott Francis" <darkuncle@darkuncle.net>
To: "Joel Rees" <joel@alpsgiken.gr.jp>
Cc: <misc@openbsd.org>
Sent: Thursday, June 20, 2002 7:28 PM
Subject: Re: OpenBSD rumours


> On Wed, Jun 19, 2002 at 11:41:51AM +0900, joel@alpsgiken.gr.jp said:
> [snip]
> > Searching google for "crocodile openbsd GOBBLES security" revealed
this
> > little gem:
> >
> > http://gladstone.uoregon.edu/~tgermer/el8.2.txt
>
> uh ... I just tried that local OpenSSH exploit on my 3.1-release box,
and it
> gave me a rootshell upon login (or _appeared_ to, see below).
> ----
> [sfrancis@somehost:~]$ uname -a
> OpenBSD somehost 3.1 GENERIC#59 i386
> [sfrancis@somehost:~]$ ssh -V
> OpenSSH_3.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> ----
>
> running GENERIC. Looking through 3.1 errata, I see nothing mentioning
sshd
> except for the Kerberos/AFS bug in sshd_config from April 22. Can
anybody
> else confirm my findings? I haven't grabbed the newest CVS source for
ssh
> yet. Will be doing so shortly and will report back.
>
> I know 3.2.3 is out. I'm asking here because the 3.1 release shipped
with
> OpenSSH-3.2, and I have seen no errata entries since then (with the
exception
> of the one I mentioned above). Upgrading to CVS -stable now ...
>
> *** five minutes of testing later ***
>
> Interesting. Apparently the "exploit" merely fools the shell into
thinking
> I'm root, without actually granting any uid0 privileges.
> ----
> [sfrancis@somehost:~]$ ssh somehost
> sfrancis@somehost's password:
> [I have no name!@somehost:~]# vipw
> vipw: the passwd file is busy or you cannot lock.
> [I have no name!@somehost:~]# whoami
> 0
> [I have no name!@somehost:~]# id
> uid=0 gid=0(wheel) groups=1000(sfrancis), 0(wheel)
> [I have no name!@somehost:~]# touch bar
> [I have no name!@somehost:~]# ls -l bar
> -rw-r--r--  1 sfrancis  sfrancis  0 Jun 20 10:22 bar
> [I have no name!@somehost:~]# sh
> [\u@\h:\w]$
> ----
>
> So, it's really just window-dressing. :) No cause for alarm - although
at
> first glance, it looks real enough.
>
> Yet another instance of my trust in the OBSD team being reinforced.
Good work
> folks.
> --
> Scott Francis                   darkuncle@ [home:] d a r k u n c l e .
n e t
> Systems/Network Manager          sfrancis@ [work:]         t o n o s .
c o m
> GPG public key 0xCB33CCA7              illum oportet crescere me autem
minui
>
> [demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: OpenBSD rumours
  - From: Fernando Braga <fmbraga@vcnet.com.br>

References:
- OpenBSD rumours
  - From: Alex de Joode <usura@zedz.net>
- Re: OpenBSD rumours
  - From: Adam Naguszewski <admin@bmtmc.gda.pl>
- Re: OpenBSD rumours
  - From: Joel Rees <joel@alpsgiken.gr.jp>
- Re: OpenBSD rumours
  - From: Scott Francis <darkuncle@darkuncle.net>

Prev by Date: Re: some newbie questions
Next by Date: apache test patch on 2.9 FYI
Prev by thread: Re: OpenBSD rumours
Next by thread: Re: OpenBSD rumours
Index(es):
- Date
- Thread