OpenSSH hole

From: Robin Smith (rasmith@aristotle.tamu.edu)
Date: 06/26/02


To: freebsd-security@FreeBSD.ORG
Date: Wed, 26 Jun 2002 08:26:37 -0500
From: Robin Smith <rasmith@aristotle.tamu.edu>

Having installed the openssh-portable port on a couple of FreeBSD boxes, I
have a note and a question.

Note:

The port does just about the whole job (creates user/group sshd, dir /var/empty)
and (with the option -D OPENSSH_OVERWRITE_BASE) puts all the stuff in the right
places, except for the sample rc script, which it tries to drop into /usr/etc/rc.d.
Since that's not part of the standard FreeBSD layout, the make then dies (so symlink
/usr/etc->/usr/local/etc). Otherwise, all I had to do was edit and install the config
files.

Question:

With privsep on, I see two 'sshd' processes created with each
connection, one owned by root and one by the connecting user.
However, if the connecting user happens to be root (i.e. if
PermitRootLogin is on), then there's no split (and even if there were,
both would be owned by root, of course). I haven't heard anything
much about how the exploit works, but can someone who knows what the
vulnerability actually is tell me if this means you're still vulnerable
even with 3.3 and privsep if you allow root logins?

Robin Smith
Department of Philosophy rasmith@tamu.edu
Texas A&M University Voice (979) 845-5696
College Station, TX 77843-4237 FAX (979) 845-0458

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message