lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0304301338010.8613-100000@mothra.mindrot.org>
Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST)
From: Damien Miller <djm@...drot.org>
To: BUGTRAQ@...URITYFOCUS.COM, <openssh-unix-dev@...drot.org>,
	<openssh-unix-announce@...drot.org>
Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)


1. Systems affected:

	Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
	if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).

	Please note that the IBM-supplied OpenSSH packages[1] are 
	not vulnerable.

2. Description:

	The default behavior of the runtime linker on AIX is to search 
	the current directory for dynamic libraries before searching 
	system paths. This is done regardless of the executable's 
	set[ug]id status.

	This behavior is insecure and extremely dangerous. It allows an 
	attacker to locally escalate their privilege level through the 
	use of replacement libraries.

	Portable OpenSSH includes configure logic to override this 
	broken behavior, but only for the native compiler. gcc uses a
	different command-line option (without changing the dangerous 
	default behavior).

3. Impact:

	Privilege escalation by local users.

4. Short-term workaround:

	Remove any set[ug]id bits from the installed binaries,
	usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH 
	may also install the 'ssh' binary as setuid.

	Please note that removing the setuid bit from ssh-keysign will 
	disable hostbased authentication. 

	Portable OpenSSH 3.6.1p2 uses the correct compiler flags to 
	avoid the dangerous linker behavior.

5. Solution:

	For the problem to be solved, the AIX linker must be changed to 
	only search system paths by default and never search the current 
	directory or user-specified paths for set[ug]id programs.

	We consider this a serious flaw in IBM's linker, and urge
	them to fix it immediately.  IBM, are you listening?

6. Credits:

	Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
	issue to our attention. Darren Tucker <dtucker@....com.au>
	contributed the fix.

[1] http://oss.software.ibm.com/developerworks/projects/opensshi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ