OpenSSH on FreeBSD libutil Arbitrary File Read

2001-09-20T14:48:34
ID OSVDB:6073
Type osvdb
Reporter Przemyslaw Frasunek(venglin@freebsd.lublin.pl)
Modified 2001-09-20T14:48:34

Description

Vulnerability Description

OpenSSH on FreeBSD platforms contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the user sets welcome or copyright file parameters to system-sensitive files in their login.conf, which will disclose the contents of those files to that user, resulting in a loss of confidentiality.

Technical Description

OpenSSH's libutil fails to correctly drop privileges before interacting with the login class capability database. This is especially problematically coded in session.c, as this error allows users to read ANY file in system with superuser privileges by defining either of:

default:\ :copyright=/etc/master.passwd: :welcome=/etc/master.passwd:

in the user's ~/.login_conf. (Substitute the file of your choice for /etc/master.passwd, although that would obviously be a popular choice.)

Solution Description

Upgrade to version 4.4-RELEASE or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch.

Short Description

OpenSSH on FreeBSD platforms contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the user sets welcome or copyright file parameters to system-sensitive files in their login.conf, which will disclose the contents of those files to that user, resulting in a loss of confidentiality.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0173.html Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2001/09/msg00223.html CVE-2001-1029 Bugtraq ID: 8697