Date: 30 April 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0328 -- OpenSSH Security Bulletin
Dangerous AIX linker behavior (aixgcc.adv)
30 April 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssh
Publisher: OpenBSD
Operating System: AIX
Impact: Increased Privileges
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
1. Systems affected:
Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
Please note that the IBM-supplied OpenSSH packages[1] are
not vulnerable.
2. Description:
The default behavior of the runtime linker on AIX is to search
the current directory for dynamic libraries before searching
system paths. This is done regardless of the executable's
set[ug]id status.
This behavior is insecure and extremely dangerous. It allows an
attacker to locally escalate their privilege level through the
use of replacement libraries.
Portable OpenSSH includes configure logic to override this
broken behavior, but only for the native compiler. gcc uses a
different command-line option (without changing the dangerous
default behavior).
3. Impact:
Privilege escalation by local users.
4. Short-term workaround:
Remove any set[ug]id bits from the installed binaries,
usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH
may also install the 'ssh' binary as setuid.
Please note that removing the setuid bit from ssh-keysign will
disable hostbased authentication.
Portable OpenSSH 3.6.1p2 uses the correct compiler flags to
avoid the dangerous linker behavior.
5. Solution:
For the problem to be solved, the AIX linker must be changed to
only search system paths by default and never search the current
directory or user-specified paths for set[ug]id programs.
We consider this a serious flaw in IBM's linker, and urge
them to fix it immediately. IBM, are you listening?
6. Credits:
Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
issue to our attention. Darren Tucker <dtucker@zip.com.au>
contributed the fix.
[1] http://oss.software.ibm.com/developerworks/projects/opensshi
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPq/4GCh9+71yA2DNAQHgZQQAmN73iO3V8y/egl9x0icIhU7yw6nUPuAq
708XCm6hNlzgbreB17aYl8PPYm8LAiACXnUo5QAWvvbYFSjOMmGZypaDaoEKiuL5
EqAR389U13GxrT44D8hjZQ4fjyCnLXWoNm7HGNZK7uBL+sWXPm+vO9ujUfQPG01F
vDgbXoP8/lE=
=hGcj
-----END PGP SIGNATURE-----
|