[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Upcoming OpenSSH vulnerability

To: "'Jorge Bras'" <jorge.bras@netc.pt>,"'misc@openbsd.org'" <misc@openbsd.org>
Subject: Re: Upcoming OpenSSH vulnerability
From: "Beukers, W.J." <WBeukers@vanleeuwen.nl>
Date: Wed, 26 Jun 2002 08:16:29 +0200

I login as a 'normal' user, but I am in the 'wheel' group...would that be a
problem concerning this vulnerability you think ?

-----Oorspronkelijk bericht-----
Van: Jorge Bras [mailto:jorge.bras@netc.pt]
Verzonden: Tuesday, June 25, 2002 6:41 PM
Aan: Tim Jones
CC: misc@openbsd.org
Onderwerp: Re: Upcoming OpenSSH vulnerability


Hi,

The answer is in the Theo's mail.
anyway ...
when you login as a normal user do a ps auxw | grep sshd and you should
have something like this:
	sshd: normal_user [priv] (sshd)

./bras

On Tue, 2002-06-25 at 14:22, Tim Jones wrote:
> Does anyone know how to check if priviledge separation
> is working?  I followed the instructions, but SSH
> processes still show up as being run by root.
>
> Thanks.
>
> --- Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
> > There is an upcoming OpenSSH vulnerability that
> > we're working on with
> > ISS.  Details will be published early next week.
> >
> > However, I can say that when OpenSSH's sshd(8) is
> > running with priv
> > seperation, the bug cannot be exploited.
> >
> > OpenSSH 3.3p was released a few days ago, with
> > various improvements
> > but in particular, it significantly improves the
> > Linux and Solaris
> > support for priv sep.  However, it is not yet
> > perfect.  Compression is
> > disabled on some systems, and the many varieties of
> > PAM are causing
> > major headaches.
> >
> > However, everyone should update to OpenSSH 3.3
> > immediately, and enable
> > priv seperation in their ssh daemons, by setting
> > this in your
> > /etc/ssh/sshd_config file:
> >
> > 	UsePrivilegeSeparation yes
> >
> > Depending on what your system is, privsep may break
> > some ssh
> > functionality.  However, with privsep turned on, you
> > are immune from
> > at least one remote hole.  Understand?
> >
> > 3.3 does not contain a fix for this upcoming bug.
> >
> > If priv seperation does not work on your operating
> > system, you need to
> > work with your vendor so that we get patches to make
> > it work on your
> > system.  Our developers are swamped enough without
> > trying to support
> > the myriad of PAM and other issues which exist in
> > various systems.
> > You must call on your vendors to help us.
> >
> > Basically, OpenSSH sshd(8) is something like 27000
> > lines of code.  A
> > lot of that runs as root.  But when
> > UsePrivilegeSeparation is enabled,
> > the daemon splits into two parts.  A part containing
> > about 2500 lines
> > of code remains as root, and the rest of the code is
> > shoved into a
> > chroot-jail without any privs.  This makes the
> > daemon less vulnerable
> > to attack.
> >
> > We've been trying to warn vendors about 3.3 and the
> > need for privsep,
> > but they really have not heeded our call for
> > assistance.  They have
> > basically ignored us.  Some, like Alan Cox, even
> > went further stating
> > that privsep was not being worked on because "Nobody
> > provided any info
> > which proves the problem, and many people dont trust
> > you theo" and
> > suggested I "might be feeding everyone a trojan" (I
> > think I'll publish
> > that letter -- it is just so funny).  HP's
> > representative was
> > downright rude, but that is OK because Compaq is
> > retiring him.  Except
> > for Solar Designer, I think none of them has helped
> > the OpenSSH
> > portable developers make privsep work better on
> > their systems.
> > Apparently Solar Designer is the only person who
> > understands the need
> > for this stuff.
> >
> > So, if vendors would JUMP and get it working better,
> > and send us
> > patches IMMEDIATELY, we can perhaps make a 3.3.1p
> > release on Friday
> > which supports these systems better.  So send
> > patches by Thursday
> > night please.  Then on Tuesday or Wednesday the
> > complete bug report
> > with patches (and exploits soon after I am sure)
> > will hit BUGTRAQ.
> >
> > Let me repeat: even if the bug exists in a privsep'd
> > sshd, it is not
> > exploitable.  Clearly we cannot yet publish what the
> > bug is, or
> > provide anyone with the real patch, but we can try
> > to get maximum
> > deployement of privsep, and therefore make it hurt
> > less when the
> > problem is published.
> >
> > So please push your vendor to get us maximally
> > working privsep patches
> > as soon as possible!
> >
> > We've given most vendors since Friday last week
> > until Thursday to get
> > privsep working well for you so that when the
> > announcement comes out
> > next week their customers are immunized.  That is
> > nearly a full week
> > (but they have already wasted a weekend and a
> > Monday).  Really I think
> > this is the best we can hope to do (this thing will
> > eventually leak,
> > at which point the details will be published).
> >
> > Customers can judge their vendors by how they
> > respond to this issue.
> >
> > OpenBSD and NetBSD users should also update to
> > OpenSSH 3.3 right away.
> > On OpenBSD privsep works flawlessly, and I have
> > reports that is also
> > true on NetBSD.  All other systems appear to have
> > minor or major
> > weaknesses when this code is running.
> >
> > (securityfocus postmaster; please post this through
> > immediately, since
> > i have bcc'd over 30 other places..)
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com

[demime 0.98d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

Follow-Ups:
- Re: Upcoming OpenSSH vulnerability
  - From: jolan <jolan@enteract.com>

Prev by Date: esp0 problem
Next by Date: BSD on the Desktop
Prev by thread: Re: Upcoming OpenSSH vulnerability
Next by thread: Re: Upcoming OpenSSH vulnerability
Index(es):
- Date
- Thread