OpenSSH Symbolic Link 'cookies' File Removal

2001-06-04T05:14:29
ID OSVDB:1853
Type osvdb
Reporter zen-parse()
Modified 2001-06-04T05:14:29

Description

Vulnerability Description

OpenSSH versions 2.9 and earlier contains a flaw that, with X forwarding enabled, may allow a malicious local user to delete any file named 'cookies' via a symlink attack. The issue is triggered when X forwarding is enabled and the user is able to delete their cookies file and make a symlink linking the cookies file of another user to their temp directory. It is possible that the flaw may allow the users to delete the cookies files of others when logging out, resulting in a loss of availability of that file.

Solution Description

Upgrade to version 2.9.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by turning off X11 forwarding.

Short Description

OpenSSH versions 2.9 and earlier contains a flaw that, with X forwarding enabled, may allow a malicious local user to delete any file named 'cookies' via a symlink attack. The issue is triggered when X forwarding is enabled and the user is able to delete their cookies file and make a symlink linking the cookies file of another user to their temp directory. It is possible that the flaw may allow the users to delete the cookies files of others when logging out, resulting in a loss of availability of that file.

References:

Vendor URL: http://www.openssh.org/security.html Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/006_sshcookie.patch Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-06/0011.html ISS X-Force ID: 6676 Generic Informational URL: http://mail-index.netbsd.org/netbsd-announce/2001/07/24/0001.html Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html CVE-2001-0529 CERT VU: 655259 Bugtraq ID: 2825