Vulnerability Note VU#19124

SSH authentication agent follows symlinks via a UNIX domain socket

Original Release date: 06 Feb 2001 | Last revised: 25 Oct 2001

Overview

Older versions of SSH allow local attackers to to establish ssh sessions as the victim user without authentication.

Description

The text of this document was originally released on January 20, 1998, as SNI-23, developed by Secure Networks, Inc. (SNI). To more widely broadcast this information, we are reprinting the SNI advisory here with their permission. Some technical details in the original advisory are not included in this reprint, and these are indicated thus:

The original advisory is currently available from
http://www.pgp.com/research/covert/advisories/024.asp


This advisory details a vulnerabily in the SSH cryptographic login program. The vulnerability enables users to use RSA credentials belonging to other users who use the ssh-agent program. This vulnerability may allow an attacker on the same local host to login to a remote server as the user utilizing SSH.

Problem Description:
In order to avoid forcing users of RSA based authentication to go through the trouble of retyping their pass phrase every time they wish to use ssh, slogin, or scp, the SSH package includes a program called ssh-agent, which manages RSA keys for the SSH program. The ssh-agent program creates a mode 700 directory in /tmp, and then creates an AF_UNIX socket in that directory. Later, the user runs the ssh-add program, which adds his private key to the set of keys managed by the ssh-agent program. When the user wishes to access a service which permits him to log in using only his RSA key, the SSH client connects to the AF_UNIX socket, and asks the ssh-agent program for the key.

Unfortunately, when connecting to the AF_UNIX socket, the SSH client is running as super-user, and performs insufficient permissions checking. This makes it possible for users to trick their SSH clients into using credentials belonging to other users. The end result is that any user who utilizes RSA authentication AND uses ssh-agent, is vulnerable. Attackers can utilize this vulnerability to access remote accounts belonging to the ssh-agent user.

Vulnerable Systems:
This vulnerability effects the Unix versions of SSH ONLY.
SSH for unix versions 1.2.17 through 1.2.21 are vulnerable if installed with default permissions. Versions of SSH prior to 1.2.17 are subject to a similar (but different) attack.

F-Secure SSH for Unix systems prior to release 1.3.3 ARE vulnerable.
You can determine the version of SSH you are running by issuing the case sensitive command:

% ssh -V

Version 1.1 of the windows-based SSH client sold by Data Fellows Inc. under the F-Secure brand name is NOT vulnerable to this attack.
Versions 1.0 and 1.0a of Mac SSH are NOT vulnerable to this attack.
Fix Resolution:
Non-commercial users:
If using the free non-commercial SSH distribution for Unix, administrators are urged to upgrade to SSH 1.2.22 or later. Updated versions of the free unix SSH can be found at ftp://ftp.cs.hut.fi/pub/ssh
Commercial users:
F-Secure SSH version 1.3.3 fixes this security problem. If you are using the commercial Data Fellows SSH package and you have a support contract, you can obtain SSH version 1.3.3 from your local retailer.
Users without a support contract can obtain a diff file which fixes this problem. This file can be obtained from: http://www.DataFellows.com/f-secure/support/ssh/bug/su132patch.html
Workaround:
As a temporary workaround, administrators may remove the setuid bit from the SSH binary. This will prevent the attack from working, but will disable a form of authentication documented as rhosts-RSA. For example, if your SSH binary is in the /usr/local/bin directory, the following command will remove the setuid bit from the SSH binary:

# chmod u-s /usr/local/bin/ssh

Additional Information
SSH is a cryptographic rsh, rlogin, and rcp replacement. SSH was written by Tatu Ylonen ylo@cs.hut.fi. For more information about the noncommercial unix version of SSH, please see http://www.cs.hut.fi/ssh
Commercial versions of ssh are marketed by Data Fellows Inc. For information about the F-secure ssh derivatives sold by Data Fellows Inc, please see http://www.DataFellows.com/f-secure.
This vulnerability was discovered by David Sacerdote davids@secnet.com.
{ DETAILS NOT INCLUDED }
Copyright Notice
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories"

Impact

A malicious user is able to establish ssh sessions as a different local user.

Solution

Upgrade to a later version of ssh, as described in the text of this document.

Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks Secure Networks, Inc. for permission to reproduce technical content from their advisory SNI-23, which is copyrighted 1997 Secure Networks, Inc.

Other Information

  • CVE IDs: CVE-1999-0787
  • CERT Advisory: CA-1998-03
  • Date Public: 20 Jan 98
  • Date First Published: 06 Feb 2001
  • Date Last Updated: 25 Oct 2001
  • Severity Metric: 29.53
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.