Subject: Re: Fwd: OpenSSH UseLogin proof of concept exploit
To: Emre Yildirim <>
From: Lubomir Sedlacik <>
List: netbsd-users
Date: 12/06/2001 04:23:51
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On Wed, Dec 05, 2001 at 09:21:48PM -0600, Emre Yildirim wrote:
> > though i still think there should be NetBSD security advisory released
> > and appropriate patches made. not every user of NetBSD is subscribed
> > there and someone could have UseLogin allowed for various reasons.
> Is this enabled by default?  I'm not at my box right now, so I can't
> really check.

fortunately not, unless someone haven't set it for various reasons.


OpenSSH 3.0.2 has just been released.

Important Changes:

        This release fixes a vulnerability in the UseLogin option
        of OpenSSH.  This option is not enabled in the default
        installation of OpenSSH.

        However, if UseLogin is enabled by the administrator, all
        versions of OpenSSH prior to 3.0.2 may be vulnerable to
        local attacks.

        The vulnerability allows local users to pass environment
        variables (e.g. LD_PRELOAD) to the login process.  The login
        process is run with the same privilege as sshd (usually
        with root privilege).

        Do not enable UseLogin on your machines or disable UseLogin
        again in /etc/sshd_config:
		    UseLogin no



-- Lubomir Sedlacik <>   ASCII Ribbon campaign against  /"\=
--                  <>   e-mail in gratuitous HTML and  \ /=
--                                       Microsoft proprietary formats   X =
-- PGPkey:                                  / \=
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF  716E 59CE B70B 7E3B 70E2     =

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see