OpenSSH Portable AIX linker Privilege Escalation

2003-04-29T22:39:49
ID OSVDB:4536
Type osvdb
Reporter Andreas Repp(andreas.repp@hanau.de)
Modified 2003-04-29T22:39:49

Description

Vulnerability Description

OpenSSH portable contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when OpenSSH is compiled with gcc or some other non-native-AIX complier, and an attacker places a specially crafted library in the current directory. This will allow the attacker to gain unauthorized privileges, and the flaw may lead to a loss of confidentiality.

Technical Description

The runtime linker on AIX will, by default, search the current directory for dynamic libraries before searching system paths for the libraries. This happens regardless of setuid/setgid status of the executable. It is then trivial for an attacker to locally escalate privilege level by creating a malicious library and placing it in the current directory. OpenSSH portable is configured to override this behavior, but only for the native AIX compiler. Since gcc's command-line option is different, the linker will revert to the default behaviour when OpenSSH portable is compiled with gcc or any other non-native AIX compiler.

Solution Description

Upgrade to version 3.6.1p2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by recompiling the OpenSSH files on AIX using the -blibpath option, or by compiling with the native AIX compiler. Another approach is to remove any setuid/setgid bits from the installed binaries, which may include ssh-agent, ssh-keysign, and ssh.

Short Description

OpenSSH portable contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when OpenSSH is compiled with gcc or some other non-native-AIX complier, and an attacker places a specially crafted library in the current directory. This will allow the attacker to gain unauthorized privileges, and the flaw may lead to a loss of confidentiality.

References:

Vendor Specific Solution URL: http://oss.software.ibm.com/developerworks/projects/opensshi Mail List Post: http://www.securityfocus.com/archive/1/320038/2003-04-25/2003-05-01/0 ISS X-Force ID: 4220 CVE-2002-0746