Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)

From: Damien Miller (djm_at_mindrot.org)
Date: 04/30/03

  • Next message: EnGarde Secure Linux: "[ESA-20030430-014] 'tcpdump' multiple vulnerabilities" 
    Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST)
To: BUGTRAQ@SECURITYFOCUS.COM, <openssh-unix-dev@mindrot.org>, <openssh-unix-announce@mindrot.org>

    1. Systems affected:

            Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
            if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).

            Please note that the IBM-supplied OpenSSH packages[1] are
            not vulnerable.

    2. Description:

            The default behavior of the runtime linker on AIX is to search
            the current directory for dynamic libraries before searching
            system paths. This is done regardless of the executable's
            set[ug]id status.

            This behavior is insecure and extremely dangerous. It allows an
            attacker to locally escalate their privilege level through the
            use of replacement libraries.

            Portable OpenSSH includes configure logic to override this
            broken behavior, but only for the native compiler. gcc uses a
            different command-line option (without changing the dangerous
            default behavior).

    3. Impact:

            Privilege escalation by local users.

    4. Short-term workaround:

            Remove any set[ug]id bits from the installed binaries,
            usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH
            may also install the 'ssh' binary as setuid.

            Please note that removing the setuid bit from ssh-keysign will
            disable hostbased authentication.

            Portable OpenSSH 3.6.1p2 uses the correct compiler flags to
            avoid the dangerous linker behavior.

    5. Solution:

            For the problem to be solved, the AIX linker must be changed to
            only search system paths by default and never search the current
            directory or user-specified paths for set[ug]id programs.

            We consider this a serious flaw in IBM's linker, and urge
            them to fix it immediately. IBM, are you listening?

    6. Credits:

            Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
            issue to our attention. Darren Tucker <dtucker@zip.com.au>
            contributed the fix.

    [1] http://oss.software.ibm.com/developerworks/projects/opensshi

  • Next message: EnGarde Secure Linux: "[ESA-20030430-014] 'tcpdump' multiple vulnerabilities"