FreeBSD: "[W]hen the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges."
============================================================================= FreeBSD-SA-01:63 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits privilege escalation [REVISED] Category: core/ports Module: openssh Announced: 2001-12-02 Revised: 2001-12-06 Credits: Markus Friedl markus@OpenBSD.org>Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2001-12-03 00:53:28 UTC (RELENG_4) 2001-12-03 00:54:18 UTC (RELENG_4_4) 2001-12-03 00:54:54 UTC (RELENG_4_3) 2001-12-02 06:52:40 UTC (openssh port) FreeBSD only: NO 0. Revision History v1.0 2001-12-02 Initial release v1.1 2001-07-31 Corrected patch instructions I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. Versions of OpenSSH are included in the FreeBSD ports collection and the FreeBSD base system. II. Problem Description OpenSSH includes a feature by which a user can arrange for environmental variables to be set depending upon the key used for authentication. These environmental variables are specified in the `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the user's home directory on the server. This is normally safe, as this environment is passed only to the user's shell, which is invoked with user privileges. However, when the OpenSSH server `sshd' is configured to use the system's login program (via the directive `UseLogin yes' in sshd_config), this environment is passed to login, which is invoked with superuser privileges. Because certain environmental variables such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously described feature, the user may arrange for login to execute arbitrary code with superuser privileges. All versions of FreeBSD 4.x prior to the correction date including FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem. However, the OpenSSH server is configured to not use the system login program (`UseLogin no') by default, and is therefore not vulnerable unless the system administrator has changed this setting. In addition, there are two versions of OpenSSH included in the ports collection. One is ports/security/openssh, which is the BSD-specific version of OpenSSH. Versions of this port prior to openssh-3.0.2 exhibit the problem described above. The other is ports/security/openssh-portable, which is not vulnerable, even if the server is set to `UseLogin yes'. III. Impact Hostile but otherwise legitimate users that can successfully authenticate using public key authentication may cause /usr/bin/login to run arbitrary code as the superuser. If you have not enabled the 'UseLogin' directive in the sshd configuration file, you are not vulnerable to this problem. IV. Workaround Doing one of the following will eliminate the vulnerability: 1) Configure sshd to not use the system login program. Edit the server configuration file and change any `UseLogin' directives to `UseLogin no'. This is the preferred workaround. 2) If for whatever reason, disabling `UseLogin' is not possible, then one can instead disable public key authentication. Edit the server configuration file and change any `RSAAuthentication', `DSAAuthentication', or `PubKeyAuthentication' directives to `RSAAuthentication no', `DSAAuthentication no', and `PubKeyAuthentication no', respectively. For sshd included in the base system (/usr/bin/sshd), the server configuration file is `/etc/ssh/sshd_config'. For sshd from the ports collection, the server configuration file is `/usr/local/etc/sshd_config'. After modifying the sshd configuration file, the sshd daemon must be restarted by executing the following command as root: # kill -HUP `cat /var/run/sshd.pid` V. Solution 1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or 4.4-STABLE after the correction date, or patch your current system source code and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc Execute the following commands as root: # cd /usr/src/crypto/openssh # patch security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. In addition, the package automatically restarts the sshd daemon if it is running. Three versions of the upgrade package are available, depending on whether or not the system has the kerberosIV or kerberos5 distributions installed. 3a) For systems without kerberosIV or kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-01.63.tgz 3b) For systems with kerberosIV only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-01.63.tgz 3c) For systems with kerberos5 only installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberos5-01.63.tgz 3d) For systems with both kerberosIV and kerberos5 installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the openssh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details Path Revision Branch ------------------------------------------------------------------------- src/crypto/openssh/session.c HEAD 1.18 RELENG_4 18.104.22.168 RELENG_4_4 22.214.171.124.4.1 RELENG_4_3 126.96.36.199.2.1 src/crypto/openssh/version.h HEAD 1.9 RELENG_4 188.8.131.52.2.7 RELENG_4_4 184.108.40.206.220.127.116.11 RELENG_4_3 18.104.22.168.22.214.171.124 ports/security/openssh/Makefile 1.79 ------------------------------------------------------------------------- For OpenSSH included in the base system, there is a version string indicating which FreeBSD localizations are available. The following table lists the version strings for each branch which include this security fix: Branch Version string ------------------------------------------------------------------------- HEAD OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202 ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. VII. References http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c#rev1.110>