SecuriTeam - OpenSSH UseLogin option allows remote access with root privileges

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

When the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in, but relies on login(1) to do the job instead. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The result is that the command is executed with the same privilege as sshd (usually with root) and basically enables users to obtain root privileges.

Credit:
The information has been provided by: Markus Friedl.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
OpenSSH prior to 2.1.1 with the UseLogin option enabled.

Immune systems:
The default installation of OpenSSH is not vulnerable.

If the administrator of an OpenSSH daemon enables UseLogin, users can get privileged access to the server running sshd.

Workaround:
Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config:
UseLogin no

Patch:
Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from http://www.openssh.com.

Code Patch:

OpenSSH-1.2.2

--- sshd.c.orig Thu Jan 20 18:58:39 2000
+++ sshd.c Tue Jun 6 10:12:00 2000
@@ -2231,6 +2231,10 @@
  struct stat st;
  char *argv[10];

+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
  f = fopen("/etc/nologin", "r");
  if (f) {
  /* /etc/nologin exists. Print its contents and exit. */

OpenSSH-1.2.3

--- sshd.c.orig Mon Mar 6 22:11:17 2000
+++ sshd.c Tue Jun 6 10:14:07 2000
@@ -2250,6 +2250,10 @@
  struct stat st;
  char *argv[10];

+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
  f = fopen("/etc/nologin", "r");
  if (f) {
  /* /etc/nologin exists. Print its contents and exit. */

OpenSSH-2.1.0

--- session.c.orig Wed May 3 20:03:07 2000
+++ session.c Tue Jun 6 10:10:50 2000
@@ -744,6 +744,10 @@
  struct stat st;
  char *argv[10];

+ /* login(1) is only called if we execute the login shell */
+ if (options.use_login && command != NULL)
+ options.use_login = 0;
+
  f = fopen("/etc/nologin", "r");
  if (f) {
  /* /etc/nologin exists. Print its contents and exit. */

EOF

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability