[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenBSD rumours
Yeah!
I just tried on OpenBSD 3.0-GENERIC. Tried to cat /etc/master.passwd. It
didn't work.
Fernando
On Thu, 20 Jun 2002 21:01:39 +0200
<rabbit@kotnet.org> wrote:
> lol, that so-called "ssh-exploit" is ridiculous...
>
> <begin the code>
> #include <stdio.h>
>
> int getuid(void) { return (0); }
> int getgid(void) { return (0); }
> int geteuid(void) { return (0); }
> int getegid(void) { return (0); }
> <end the code>
>
> Even I, someone with totally nihil knowledge of C, can figure out that
> this just redeclares some functions bash e.a. use to know who is
> running them, and thus just fool the shell...
> Well, this looks like they just made up that "exploit" to have a good
> laugh with all those script kiddies. Well, they sure have a sense of
> humor *rolls*eyes*
>
> - rabbit
>
> ----- Original Message -----
> From: "Scott Francis" <darkuncle@darkuncle.net>
> To: "Joel Rees" <joel@alpsgiken.gr.jp>
> Cc: <misc@openbsd.org>
> Sent: Thursday, June 20, 2002 7:28 PM
> Subject: Re: OpenBSD rumours
>
>
> > On Wed, Jun 19, 2002 at 11:41:51AM +0900, joel@alpsgiken.gr.jp said:
> > [snip]
> > > Searching google for "crocodile openbsd GOBBLES security" revealed
> this
> > > little gem:
> > >
> > > http://gladstone.uoregon.edu/~tgermer/el8.2.txt
> >
> > uh ... I just tried that local OpenSSH exploit on my 3.1-release
> > box,
> and it
> > gave me a rootshell upon login (or _appeared_ to, see below).
> > ----
> > [sfrancis@somehost:~]$ uname -a
> > OpenBSD somehost 3.1 GENERIC#59 i386
> > [sfrancis@somehost:~]$ ssh -V
> > OpenSSH_3.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> > ----
> >
> > running GENERIC. Looking through 3.1 errata, I see nothing
> > mentioning
> sshd
> > except for the Kerberos/AFS bug in sshd_config from April 22. Can
> anybody
> > else confirm my findings? I haven't grabbed the newest CVS source
> > for
> ssh
> > yet. Will be doing so shortly and will report back.
> >
> > I know 3.2.3 is out. I'm asking here because the 3.1 release shipped
> with
> > OpenSSH-3.2, and I have seen no errata entries since then (with the
> exception
> > of the one I mentioned above). Upgrading to CVS -stable now ...
> >
> > *** five minutes of testing later ***
> >
> > Interesting. Apparently the "exploit" merely fools the shell into
> thinking
> > I'm root, without actually granting any uid0 privileges.
> > ----
> > [sfrancis@somehost:~]$ ssh somehost
> > sfrancis@somehost's password:
> > [I have no name!@somehost:~]# vipw
> > vipw: the passwd file is busy or you cannot lock.
> > [I have no name!@somehost:~]# whoami
> > 0
> > [I have no name!@somehost:~]# id
> > uid=0 gid=0(wheel) groups=1000(sfrancis), 0(wheel)
> > [I have no name!@somehost:~]# touch bar
> > [I have no name!@somehost:~]# ls -l bar
> > -rw-r--r-- 1 sfrancis sfrancis 0 Jun 20 10:22 bar
> > [I have no name!@somehost:~]# sh
> > [\u@\h:\w]$
> > ----
> >
> > So, it's really just window-dressing. :) No cause for alarm -
> > although
> at
> > first glance, it looks real enough.
> >
> > Yet another instance of my trust in the OBSD team being reinforced.
> Good work
> > folks.
> > --
> > Scott Francis darkuncle@ [home:] d a r k u n c l e
> > .
> n e t
> > Systems/Network Manager sfrancis@ [work:] t o n o s
> > .
> c o m
> > GPG public key 0xCB33CCA7 illum oportet crescere me
> > autem
> minui
> >
> > [demime 0.98d removed an attachment of type
> > application/pgp-signature]