Articles / SuSE: local privilege escal…

SuSE: local privilege escalation in OpenSSH

This re-release of SuSE Security Announcement SuSE-SA:2001:044 adds another patch to the openssh-2.9.9p2 packages: A bug allows a local attacker on the server to specify environment variables that can influence the login process if the "UseLogin" configuration option on the server side is set to "yes". If exploited, the local attacker on the secure shell server can execute arbitrary commands as root. In the default configuration of the package, the UseLogin option is set to "no", which means that the administrator of the server must have set the option to "yes" manually before the bug can be exploited. Fixed packages are available from ftp.suse.com.
-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package:                openssh
        Announcement-ID:        SuSE-SA:2001:045
        Date:                   Thursday, Dec 6th 2001 21:30 MET
        Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
        Vulnerability Type:     local privilege escalation
        Severity (1-10):        5
        SuSE default package:   yes
        Other affected systems: systems running openssh

    Content of this advisory:
        1) security vulnerability resolved: openssh
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1)  Re-release of SuSE Security Announcement SuSE-SA:2001:044, brief history,
    Clarification, new problem fixed, upgrade information.

    This is a re-release of the SuSE Security Announcement SuSE-SA:2001:044,
    adding another bugfix for the openssh package as well as more detailed
    information about the vulnerabilities to prevent misunderstandings.

    The currently supported SuSE distributions 6.4 and newer come with two
    implementations of the secure shell protocol: The package names are
    "ssh" and "openssh".


    Brief history:
    In 1998, a vulnerability of the secure shell protocol in version 1 has
    been discovered and named "crc32 compensation attack". The vulnerability
    allows an attacker to insert arbitrary sequences into the ssh-1 protocol
    layer. At that time, an added patch fixed the problem in the ssh
    implementation (visible in the client-side verbose output of the ssh
    command (-v): "Installing crc compensation attack detector.").
    In early 2001, Michal Zalewski discovered that the widely used patch
    was defective and opened another security hole which is being actively
    exploited today. SuSE Security announcement SuSE-SA:2001:004, published
    February 16th 2001, available at *[1], addresses this defective patch,
    among other issues.

    Clarification/Apology:
    Our last openssh security announcement SuSE-SA:2001:044 (*[3]) may falsely
    lead to assume that the openssh-2.9.9p2 update packages on our ftp
    server fix the vulnerabilities known as crc32 compensation attack.
    This is incorrect since the openssh-2.3.0 packages released with SuSE
    Security announcement SuSE-SA:2000:047 in November 2000, available at
    *[2], already fixed the mentioned (among other) problems. The release
    of the openssh-2.9.9p2 update packages obsoletes the openssh-2.3.0 update
    packages.
    We explicitly regret the used wording and apologize to the openssh
    development team, in particular Markus Friedl and Theo De Raadt, and
    thank them for their excellent work on the project.

    Scanning utilities that can be found on the internet connect to port 22
    of a server and read the version string. It should be noted that the bare
    knowlege of the secure shell protocol version string does not allow to
    determine whether a running secure shell daemon is actually vulnerable
    to the defective fix for the crc32 compensation attack.
    SuSE security receive dozens of requests about statements if the daemons
    in use are vulnerable or not. Please see reference *[1].


    New problem fixed:
    This re-release of SuSE Security Announcement SuSE-SA:2001:044 (please
    see reference *[3] below) adds another patch to the openssh-2.9.9p2
    packages: A bug allows a local attacker on the server to specify
    environment variables that can influence the login process if the
    "UseLogin" configuration option on the server side is set to "yes".
    If exploited, the local attacker on the secure shell server can execute
    arbitrary commands as root.
    In the default configuration of the package, the UseLogin option is set
    to "no", which means that the administrator of the server must have set
    the option to "yes" manually before the bug can be exploited.

    Users who upgraded their SuSE openssh package before December 6th 2001
    should upgrade their package again. Use the command "rpm -q openssh"
    to see which version/release of the package you have installed, and
    compare this version with the one as listed below.


    Upgrade information:
    You can find out which implementation of the ssh protocol you are using
    with the command "rpm -qf /usr/bin/ssh".
    If you use the ssh-1.2.* package, please read Reference *[1].
    If you use the openssh-* package, please download the rpm package for
    your distribution from the URL list below, verify its integrity using
    the methods as described in section 3) of this security announcement
    and install the package using the command

        rpm -Uhv file.rpm

    where file.rpm is the filename of the package that you have downloaded.

    References:
    *[1]: http://www.suse.de/de/support/security/adv004_ssh.txt
    *[2]: http://www.suse.de/de/support/security/2000_047_openssh_txt.txt
    *[3]: http://www.suse.de/de/support/security/2001_044_openssh_txt.txt


    SPECIAL INSTALL INSTRUCTIONS:
    The sshd secure shell daemon on the server side has to be restarted for
    the new package to become active. If you are logged on on the console,
    the simple command "rcsshd restart" should do this for you.
    If you are logged on via secure shell, you should make sure that you
    do not terminate the connections that are established through the running
    secure shell daemon/its children. In this case, kill the daemon after
    package installation using the command
        kill -TERM `cat /var/run/sshd.pid`
    and then restart the daemon with the command
        /usr/sbin/sshd
    as root.

    Then, verify that the login procedure works as before. One of the main
    changes in the new openssh package is that the file
    $HOME/.ssh/authorized_keys2 is only read by the server if the file
    $HOME/.ssh/authorized_keys does not exist and if protocol version 2 is
    being used. The file $HOME/.ssh/authorized_keys2 can be removed after
    its contents have been added to $HOME/.ssh/authorized_keys.
    The two configuration files /etc/ssh/sshd_config (server side) and
    /etc/ssh/ssh_config (client side) contained in the openssh package
    do not get overwritten upon installation or upgrade, if you have changed
    them manually. Instead, the new configuration files are written with a
    .rpmnew suffix. The defaults as provided in the SuSE package make an
    effort to establish both convenience as well as security.



    NOTE: Packages for SuSE Linux distributions 7.0 and older containing
    cryptographic software are located on our German ftp server ftp.suse.de
    for legal reasons. Packages for all other distributions (7.1 and newer)
    can be found at their regular path at ftp.suse.com.



    i386 Intel Platform:
    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-74.i386.rpm
      f3d60cce6d62dbf79c36a849811c19d7
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-74.src.rpm
      4246e40b1e5a7b4456f2bb4c05177126

    SuSE-7.2
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-74.i386.rpm
      3764a15b17b0823c6fa2e8e4aee5af69
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-74.src.rpm
      e9cccadf767cb80e3c588266d6886153

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-73.i386.rpm
      4dbcdb2a544cadd36749baea890bc38e
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-73.src.rpm
      04400597a1b9526bc78344e8e523fa40

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-73.i386.rpm
      29dcc882bf30cbe88c94b07bb84e7216
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-73.src.rpm
      b852431e4711d7f45a8bd180532325b0

    SuSE-6.4
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-73.i386.rpm
      8cfe1e9d2dd964851acb42e1e13311b9
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-73.src.rpm
      a3686e39258d03c99fc2ba3573325c2a



    Sparc Platform:
    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-24.sparc.rpm
      32d3a1c735d2c27cb580fedeeed3a135
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-24.src.rpm
      82540b2297b2d03d45118b3c23a72bf8

    SuSE-7.1
    The update packages for the SuSE Linux 7.1 Sparc distributions are not
    available yet. The package can soon be found at
    ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh.rpm

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-24.sparc.rpm
      638891762f09e01b83e9c39c184ce9ea
    source rpm:
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-24.src.rpm
      ad3520ad8907c585f84facb742fc03bf




    AXP Alpha Platform:
    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-26.alpha.rpm
      04e815054c9bc3a1b0a1ddda8c6e2d10
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
      32c39e29517fc8269f252f7cc6f18bce

    The update packages for the SuSE Linux AXP/Alpha distributions before
    SuSE-7.1 are not available on our ftp server yet. These packages can be
    found at the usual location in the update paths on ftp.suse.de.




    PPC Power PC Platform:
    SuSE-7.3
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-49.ppc.rpm
      4b056c828675898bf482e9ecb4f91a0b
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-49.src.rpm
      e10ed49e7319c244caf324a64f16c738

    SuSE-7.1
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-49.ppc.rpm
      163126a80ff0167b34c041348ef5c3c4
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-49.src.rpm
      948862c53dc62e921b03766c986a4de2

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-48.ppc.rpm
      aff3785ac9670daa0e06445ad9b5a2b9
    source rpm:
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-48.src.rpm
      ccfb132470cb61b52688fc12f1352b12

    SuSE-6.4
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-48.ppc.rpm
      ae20b7379474735126636aed05f6eeee
    source rpm:
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-48.src.rpm
      2351d7667c02a1ad33e21bd39196cf0a

______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

  - We are currently testing kernel update packages for the recently
    found local security flaw in the ELF binary loader in the Linux
    kernel of all v2.4 versions and expect to be able to announce these
    update rpm packages soon with a re-release of our kernel security
    announcement.

______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum 
       after you downloaded the file from a SuSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig 
       to verify the signature of the package, where  is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an uninstalled rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SuSE in rpm packages for SuSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SuSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the toplevel directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                .

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                .

    For general information or the frequently asked questions (faq)
    send mail to:
         or
         respectively.

    =====================================================================
    SuSE's security contact is  or .
    The  public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the cleartext signature shows proof of the
    authenticity of the text.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team 
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key 

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
/xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
+JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
=rVRn
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPA/bG3ey5gA9JdPZAQHnwAf/UHDibA3CmfvsAtnzeQ3YaEf7tgOMtvz0
wr9gMZlU+L96Trhv9iAeUEenYc2KTe8ye4SvLHxKlQ3IotmFjhoehLzYM/tynhM8
0nCsnK7vuQNmJnbyE8shWvmAcAv4klJW1g/hV73EhjO/YJe4nx7H+cF3M1hzhGwv
d4t9Y8SjHBrvSt9nuq/yFsta4dKy5il30jPtd379O3TcjJP4cBC30o3wKt11f9ld
GYSURp31kQT13VJxw75GxCkv3b0PpxepT1HUQmqGCGx1xxGV/XYKCbwCnwjHi4zC
n52B6gHc0wilYdLrQdHb0uZwVn4fcxHirbdpwVyWTrBgPkLE3aHVhg==
=tcBY
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.