[UNIX] Rssh Root Privileges Escalation
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 2 Jan 2006 11:13:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Rssh Root Privileges Escalation
" <http://www.pizzashack.org/rssh/index.shtml> rssh is a restricted shell
for use with OpenSSH, allowing only scp and/or sftp."
Rssh with SUID chroot allows attackers to gain root accesses and become
root on the system.
* rssh version 2.2.2 and prior
* rssh version 2.3.0
* rssh version 2.3.1
A flaw in the design of rssh_chroot_helper whereby it can be exploited to
chroot to arbitrary directories and thereby gain root access. If rssh is
installed on a system, and non-trusted users on that system have access
which is not protected by rssh (they have full shell access), then they
can use rssh_chroot_helper to chroot to arbitrary locations in the file
system, and thereby gain root access.
By careful configuration of file system mounts, it is possible to avoid
this problem; but doing so requires a fair amount of contortion which will
be difficult to re-engineer after an existing installation has already
been configured. The exploit requires the user to be able to write
executables in the directory they are chrooting to, and create hard links
to SUID binaries within that directory structure, so by preventing either
of these two things, the exploit will be foiled.
System administrators can accomplish this by careful configuration of
filesystem permissions, mount points, and mount options (such as no_exec,
no_suid, etc.). I will not go into details since the far better solution
is to upgrade.
The 2.3.0 release of rssh fixes this problem by forcing the chroot helper
program to re-parse the config file instead of allowing the chroot home to
be specified on the command line. Thus users not listed can not use it to
chroot (or will chroot to the default location specified by the sys
admin), and users who are listed will be chrooted to the directories where
they are supposed to go only.
The information has been provided by <mailto:code@xxxxxxxxxxxxxx> Derek
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next by Date: [UNIX] AIX getCommand and getShell Vulnerabilities
- Next by thread: [UNIX] AIX getCommand and getShell Vulnerabilities