Hello, All:
First-time post, but I think it's well worth it. Since nobody has directly
posted an implementable resolution, I'm sending 2 simple patches to repair
the newchannels.c and ssh-agent.c files, which are responsible for writing
to the symlink on vulnerable systems. I agree that this is definitely more
of a system issue and all, but the fix to ssh is a real simple one (which
raises the question 'why didn't SSH Comm. just fix it?'), and I haven't
looked at kernel source since 0.something. So, here's what they do:
About 8 new lines of code to newchannels.c (sshd) and ssh-agent.c
(ssh-agent1) do an lstat on the socket filename and fail auth forwarding
(with a syslogged error) if a symbolic link is found.
I have no idea how ethical/legal/moral/whatever posting these patches are,
but I figure it's better than enduring denial-of-service, and I did search
high and low for any sort of warnings not to. If I've done anything
inappropriate here, please let me know.
Eric Griffis
[EMAIL PROTECTED]
P.S- real simple install for these. Regular old diff patches. Just cd into
ssh-1.2.27 source directory and type:
patch < /path/to/patch-file
Do that for both. rebuild the ssh package, then copy sshd and ssh-agent over
your current sshd1 and ssh-agent1 files.
-----Original Message-----
From: Solar Designer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, September 28, 1999 1:41 PM
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
>Hi,
>
>> This is from a post I made to BugTraq on September 17, entitled
>> "A few bugs...". If you're running Linux, it appears kernels pre 2.1
will
>> not be affected by this bug as they do not follow symlinks when creating
>> UNIX domain sockets (Solar Designer pointed this out after trying the
>> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
>> I'm generalizing).
>
>The same applies to mknod(2), which follows dangling symlinks on
>Linux 2.2, but doesn't on 2.0. I've changed the code not to follow
>such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.
>
>As I am posting this anyway, -- other changes to the -ow patch for
>2.2 since I've announced it here include the real exit_signal fix,
>and the TCP sequence number fix I took from 2.2.13pre14. (Speaking
>of the latter, it's funny how most of the randomness went into the
>wrong place on the stack, and probably remained unnoticed because of
>the fairly large and unused at the time "struct tcp_opt". 2.0 isn't
>vulnerable. Yet another reason to continue running 2.0.38.)
>
>Signed,
>Solar Designer
patch-newchannels.c-ssh-1.2.27
patch-ssh-agent.c-ssh-1.2.27
