Vulnerability Note VU#655259

OpenSSH allows arbitrary file deletion via symlink redirection of temporary file

Overview

Due to insecure handling of temporary files, some versions of sshd, an encrypted connection program, can delete any file named "cookies" accessible via the computer running sshd.

I. Description

sshd is the server software used to support ssh, a popular encryted connection program. Some versions of OpenSSH fail to handle temporary files in a secure fashion, allowing their removal during an ssh session. This removal may be reflected in the removal of files named "cookies" on the server. Since sshd runs setuid root, ownership and protection of the "cookies" file will be disregarded.

II. Impact

Using this exploit, an attacker may cause loss of data, particularly web location data used in many web sites.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Systems Affected

Vendor	Status	Date Notified
Caldera	Vulnerable	9-Aug-2001
Conectiva	Vulnerable	15-Nov-2001
Immunix	Vulnerable	15-Nov-2001
NetBSD	Vulnerable	31-Jul-2001
OpenBSD	Vulnerable	21-Aug-2001
OpenSSH	Vulnerable	21-Aug-2001

References

http://www.securityfocus.com/bid/2825
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.txt.asc
http://www.openbsd.org/errata.html#sshcookie
http://www.linuxsecurity.com/advisories/other_advisory-1666.html
http://www.linuxsecurity.com/advisories/other_advisory-1654.html

Credit

This vulnerability was initially reported on the Bugtraq discussion list.

This document was last modified by Tim Shimeall.

Other Information

Date Public:	2001-06-12
Date First Published:	2001-08-21
Date Last Updated:	2001-11-15
CERT Advisory:
CVE-ID(s):	CAN-2001-0529
NVD-ID(s):	CAN-2001-0529
US-CERT Technical Alerts:
Metric:	0.76
Document Revision:	11

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader