-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenSSH UseLogin Vulnerability July 6, 2000 16:00 GMT Number K-058 ______________________________________________________________________________ PROBLEM: If the UseLogin option is enabled, then the remote user's commands will be executed with an incorrect user id. PLATFORM: All platforms running FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE, and FreeBSD 5.0-CURRENT prior to the correction date. DAMAGE: This vulnerability allows remote users to run commands with elevated (usually root) privileges. SOLUTION: Upgrade or apply the patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH if the UseLogin option is enabled. The ASSESSMENT: vulnerability has been discussed in public forums. ______________________________________________________________________________ [ Start FreeBSD Advisory ] - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:30 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits remote root access Category: core Module: openssh Announced: 2000-07-05 Credits: Markus Friedl Affects: FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE and 5.0-CURRENT prior to the correction date Corrected: 2000-06-11 Vendor status: Disclosed vulnerability. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 (and SSH2 in later versions) secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. II. Problem Description The sshd server is typically invoked as root so it can manage general user logins. OpenSSH has a configuration option, not enabled by default ("UseLogin") which specifies that user logins should be done via the /usr/bin/login command instead of handled internally. OpenSSH also has a facility to enable remote users to execute commands on the server non-interactively. In this case, the UseLogin directive fails to correctly drop root privileges before executing the command, meaning that remote users without root access can execute commands on the local system as root. Note that with the default configuration, OpenSSH is not vulnerable to this problem, and this option is not needed for the vast majority of systems. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and you either have the international RSA libraries or installed the RSAREF port. III. Impact If your sshd configuration was modified to enable the 'UseLogin' directive then remote users with SSH access to the local machine can execute arbitrary commands as root. IV. Workaround Set 'UseLogin No' in your /etc/ssh/sshd_config file and restart the SSH server by issuing the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to respawn and reread its configuration file, and should not interfere with existing SSH sessions. Note that a bug in sshd (discovered during preparation of this advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as of 2000-07-03) means that it will fail to restart correctly unless it was originally invoked with an absolute path (i.e. "/usr/sbin/sshd" instead of "sshd"). Therefore you should verify that the server is still running after you deliver the HUP signal: # ps -p `cat /var/run/sshd.pid` PID TT STAT TIME COMMAND 2110 ?? Ss 0:00.97 /usr/sbin/sshd If the server is no longer running, restart it by issuing the following command as root: # /usr/sbin/sshd V. Solution One of the following: 1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH than was in 4.0-RELEASE, version 2.1, which provides enhanced functionality including support for the SSH2 protocol and DSA keys. 2) Save this advisory as a file and extract the relevant patch for your version of FreeBSD, or download the relevant patch and detached PGP signature from the following location: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch/or/advisory # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.sbin/sshd # make all install # kill -HUP `cat /var/run/sshd.pid` See the note in the "Workarounds" section about verifying that the sshd server is still running. VI. Patch Index: sshd.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v retrieving revision 1.6 diff -u -r1.6 sshd.c --- sshd.c 2000/03/09 14:52:31 1.6 +++ sshd.c 2000/07/04 03:40:46 @@ -2564,7 +2564,13 @@ char *argv[10]; #ifdef LOGIN_CAP login_cap_t *lc; +#endif + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + +#ifdef LOGIN_CAP lc = login_getpwclass(pw); if (lc == NULL) lc = login_getclassbyname(NULL, pw); - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWPAn1UuHi5z0oilAQEt8QP+KlhsdMVqBjI6mhO/opnpIr+vFo5zxu4R rhPwSfyXf/ufRPcJbiQFjBlHwQWaOnt2N3w6MJYI4qNySPHmqIa1Cnxv8Em0K/ke wdFr8sXOZiqgBbu1aJRSsB+5Vc/TQFdHcY/QGwpUIUGYkDvEYcp46iDpQgiS41BW 9hRgZIgcigo= =nEJ0 - -----END PGP SIGNATURE----- [ End FreeBSD Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of FreeBSD for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-046: 386-BSD Based Operating Systems - IPCS Vulnerability K-047: Netscape - Inconsistent Warning Messages K-048: Permissions Problems with FrontPage Extensions K-049: Microsoft IE "SSL Certificate Validation" Vulnerability K-050: NXT BIND 8.2.x Overflow Vulnerability K-051: DoS Vulnerabilities in Kerberos 4 KDC Programs K-052: AIX cdmount Vulnerability K-053: Linux setuid Kernel Fix K-054: Vulnerability in Linux wu-ftpd K-055: HP Web JetAdmin Vulnerability K-056: IRIX WorkShop cvconnect(1M) Vulnerability K-057: Microsoft "Active Setup Download" Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOWS/hrnzJzdsy3QZAQE/zQP9EZ6GOJFPmhoRqChWc6YmRGEAEdo+OIcy gpJhIhh73W0wlUe238h9DBn+Mez8lKGaUCrVOpyCLGBYDYkyAYgp2/YSv3v2WK0J 1ay5MdPumjUHH+Dh/GWUxqgHZ34u11ZmY7U2CBgsae9yOxs3khH0EuggvkBJ2prX qX5x2LuB4tk= =cPI3 -----END PGP SIGNATURE-----