[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] openssh sftp subsystem bugs

To: linux-security
Subject: [linux-security] openssh sftp subsystem bugs
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 30 Nov 2001 16:09:23 -0800
User-Agent: Mutt/1.2.5i

Topic
=====
subsystem commands can be used to bypass command restrictions

Problem Description
===================
OpenSSH versions prior to 2.9.9, when configured to provide sftp access
using the subsystem feature, allows remote authenticated users to bypass
authorized_keys2 "command=" restrictions by using sftp commands.

OpenSSH 2.9 also contained a subtle bug in the routines which attempt to
confound an attacker using passive analysis, which would cause it to send
two confounding packets instead of one when a client finished sending it a
password.

Affected Versions
=================
OpenSSH versions < 2.9.9

Solution
========
Upgrade to version openssh-2.9.9 or later
(or patched openssh package for your distribution)

RedHat 6.x
----------
RedHat 6.x did not come with openssh. The rpms provided on sphinx in the
contrib directory for RedHat 6.2 (/vol/vol1/distrib/redhat/6.2/contrib)
have been updated (i.e., recompiled from the RH 7.2 source rpms) and
are patched against this bug.
Please send me an email, if you have problems with these rpms.

Assuming that you have mounted the sphinx distribution at /mnt/redhat, e.g.,

mount -t nfs sphinx.sfu.ca:/vol/vol1/distrib/redhat/6.2 /mnt/redhat

you can install those rpms in the following way:

cd /mnt/redhat/contrib
rpm -Fvh openssh-2.9p2-10.6.x.i386.rpm \
         openssh-clients-2.9p2-10.6.x.i386.rpm \
         openssh-server-2.9p2-10.6.x.i386.rpm \
         openssh-askpass-2.9p2-10.6.x.i386.rpm \
         openssh-askpass-gnome-2.9p2-10.6.x.i386.rpm

RedHat 7.0, 7.1
---------------
rpm -Fvh openssh-2.9p2-10.7.i386.rpm \
         openssh-clients-2.9p2-10.7.i386.rpm \
         openssh-server-2.9p2-10.7.i386.rpm \
         openssh-askpass-2.9p2-10.7.i386.rpm \
         openssh-askpass-gnome-2.9p2-10.7.i386.rpm

RedHat 7.2
----------
rpm -Fvh openssh-2.9p2-11.i386.rpm \
         openssh-clients-2.9p2-11.i386.rpm \
         openssh-server-2.9p2-11.i386.rpm \
         openssh-askpass-2.9p2-11.i386.rpm \
         openssh-askpass-gnome-2.9p2-11.i386.rpm

Prev by Date: Re: [linux-security] ALERT: remote root exploit in wu-ftpd (Mandrake)
Next by Date: Re: [linux-security] util-linux login vulnerability
Prev by thread: Re: [linux-security] glibc glob bug (Debian)
Next by thread: [linux-security] ALERT: remote root exploit in wu-ftpd
Index(es):
- Date
- Thread