Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SSH Communications SSH Secure Shell Process Grouping Flaw in setsid() May Let Authenticated Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1005703 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 25 2002
|
Impact: Modification of system information, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.13 - 3.2.1
|
Description: A vulnerability was reported in SSH Secure Shell for UNIX/Linux from SSH Communications. A remote or local authenticated user could gain elevated privileges on the system.
It is reported that, when used in non-interactive connections, a flaw in the process grouping of SSH Secure Shell processes may allow
malicious activity. When a command is executed without a pty (including running commands and subsystems), the resulting child process
will reportedly remain in the process group of the master process.
An authenticated user can set the login name to an arbitrary
name (e.g., "root"). Then, any application that trusts the login name and do not check the user ID (uid) or effective user ID (euid)
could be spoofed. This can be exploited on BSD variants to send messages to syslog and other applications with the wrong login
name.
The vendor notes that an exploit that forges log entries is known to exist. However, the vendor is not aware of any
known root exploits at this time. A root exploit may be possible if, for example, a set user id (setuid) application relies on
the output of the getlogin() function, according to the report.
SSH credits Logan Gabriel with discovering this flaw.
|
Impact: A remote or local authenticated user may be able to obtain elevated privileges on the system.
|
Solution: The vendor recommends that you upgrade to SSH Secure Shell version 3.1.5 or 3.2.2 at the FTP sites listed below. For the commercial
versions, a valid license_ssh2.dat is required for all the binaries. Depending on the license file, the vendor states that the
Unix binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for Servers product.
Updating SSH Secure
Shell from 3.1.x to 3.1.5:
AIX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/hp-ux/
Linux:
ftp://ftp.ssh.com/priv/secureshell/h7cq89th/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/solaris/
Updating
SSH Secure Shell from 3.2.x to 3.2.2
Users with a commercial license for a 3.2.x product can reportedly install the 3.2.2
version
binaries on top of the old 3.2.x ones.
AIX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/hp-ux/
Linux:
ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/solaris/
Non-commercial
source code is available at:
ftp://ftp.ssh.com/pub/ssh/
|
Vendor URL: www.ssh.com/company/newsroom/article/286/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Nov 2002 10:45:09 -0500
Subject: SSH Secure Shell Unix server setsid() function call vulnerability
|
http://www.ssh.com/company/newsroom/article/286/
Affected Systems: SSH Secure Shell for Servers and SSH Secure Shell for Workstations,
versions 2.0.13 - 3.2.1. (UNIX/Linux)
SSH.com issued a security advisory warning of a vulnerability in the SSH Secure Shell Unix
server setsid() function call. A remote authenticated user may possibly be able to obtain
administrator privileges on NetBSD UNIX variants.
It is reported that, when used in non-interactive connections, a flaw in the process
grouping of SSH Secure Shell processes may allow malicious activity. When a command is
executed without a pty (including running commands and subsystems), the resulting child
process will reportedly remain in the process group of the master process.
An authenticated user can set the login name to an arbitrary name (e.g., "root"). Then,
any application that trusts the login name and do not check the user ID (uid) or effective
user ID (euid) could be spoofed. This can be exploited on BSD variants to send messages
to syslog and other applications with the wrong login name.
The vendor notes that an exploit that forges log entries is known to exist. However, the
vendor is not aware of any known root exploits at this time. A root exploit may be
possible if, for example, a set user id (setuid) application relies on the output of the
getlogin() function, according to the report.
Solution:
The vendor recommends that you upgrade to SSH Secure Shell version 3.1.5 or 3.2.2 at the
FTP sites listed below. For the commercial versions, a valid license_ssh2.dat is required
for all the binaries. Depending on the license file, the vendor states that the Unix
binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for
Servers product.
Updating SSH Secure Shell from 3.1.x to 3.1.5:
AIX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/hp-ux/
Linux: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/h7cq89th/solaris/
Updating SSH Secure Shell from 3.2.x to 3.2.2
Users with a commercial license for a 3.2.x product can reportedly install the 3.2.2
version binaries on top of the old 3.2.x ones.
AIX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/aix/
HP-UX: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/hp-ux/
Linux: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/linux/
Solaris: ftp://ftp.ssh.com/priv/secureshell/6g3zslpk/solaris/
Non-commercial source code is available at:
ftp://ftp.ssh.com/pub/ssh/
SSH credits Logan Gabriel with discovering this flaw.
|
|
Go to the Top of This SecurityTracker Archive Page
|
