|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jerry Connolly (jerry.connolly
eircom.net)Date: Tue Jun 05 2001 - 08:31:42 CDT
Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700,
> Also: SSH Version OpenSSH_2.3.0 greenFreeBSD.org 20010321 -- That comes
> with FreeBSD 4.3-STABLE
> is not vulnerable at first glance. It does not appear to use /tmp files
> as yours does and therefore is not vulnerable.
I tested it on OpenSSH_2.5.2 on OpenBSD and it worked. I had to enable X
forwarding on the client and server before the remote machine would create
(and attempt to unlink() ) the cookies file.
The offending code is in session.c in the xauthfile_cleanup_proc() function
<SNIP>
/*
* Remove local Xauthority file.
*/
void
xauthfile_cleanup_proc(void *ignore)
{
debug("xauthfile_cleanup_proc called");
if (xauthfile != NULL) {
char *p;
unlink(xauthfile);
</SNIP>
where xauthfile points to a buffer containing the name of the cookies file.
Cheers.
-- Jerry Connolly Computer Incident Response Team jerry.connolly
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]