26th Sep 2002 [SBWID-4756]
COMMAND
OpenSSH
SYSTEMS AFFECTED
FreeBSD 4.4 and earlier
PROBLEM
Przemyslaw Frasunek found following as posted on BugTraq :
OpenSSH derived with FreeBSD 4.4 (and earlier) doesn't drop privileges
before messing with login class capability database. The most
problematic is:
if (newcommand == NULL && !quiet_login && !options.use_login) {
fname = login_getcapstr(lc, "copyright", NULL, NULL);
if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
while (fgets(buf, sizeof(buf), f) != NULL)
fputs(buf, stdout);
fclose(f);
and
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
[...]
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
fclose(f);
in session.c, which allows to read ANY file in system with superuser
privileges, by defining:
default:\
:copyright=/etc/master.passwd:
or
:welcome=/etc/master.passwd:
in user's ~/.login_conf.
login(1), which is suid and spawned by telnetd also is vulnerable to
similar attack:
if (!rootlogin)
auth_checknologin(lc);
[...]
(void)setegid(pwd->pw_gid);
(void)seteuid(rootlogin ? 0 : pwd->pw_uid);
Checking for nologin is performed with superuser privileges.
auth_checklogin() is libutil function which displays nologin file, as
defined in login capability database. User can read ANY file in system
by defining:
default:\
:nologin=/etc/master.passwd:
SOLUTION
FreeBSD core team has been aleady informed and official patches were
incorporated into CVS repository *before* 4.4-RELEASE, although 4.4-RC
and earlier verions are vulnerable and needs to be patched with:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libutil/login_cap.c
?rev=1.17.2.3&content-type=text/plain
Official advisory is pending. It's possible, that other *BSD systems,
supporting login capability database are also vulnerable.