what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rsshFormat.txt

rsshFormat.txt
Posted Oct 27, 2004
Authored by Derek Martin | Site pizzashack.org

rssh versions below 2.2.2 suffer from a format string vulnerability that may allow for privilege escalation.

tags | advisory
SHA-256 | 4e71754c1ea5a52d4e553addf2ba481fd95acd61c1c8fb641f366430dbdfc6a1

rsshFormat.txt

Change Mirror Download
PIZZACODE SECURITY ALERT

program: rssh
risk: low[*]
problem: string format vulnerability in log.c
details:

rssh is a restricted shell for use with OpenSSH, allowing only scp
and/or sftp. For example, if you have a server which you only want to
allow users to copy files off of via scp, without providing shell
access, you can use rssh to do that. Additioanlly, running rsync,
rdist, and cvs are supported, and access can be configured on a
per-user basis using a simple text-based configuration file. The rssh
homepage is here:

http://www.pizzashack.org/rssh/

Florian Schilhabel has identified a format string bug which can allow
an attacker to run arbitrary code from an account configured to use
rssh. [*]In general the risk is low, as in most cases the user can
only compromise their own account. The risk is mittigated by the fact
that before this bug can be exploited, the user must log in
successfully through ssh. This means that either the user is known to
the system (and therefore the administrators), or that the system is
probably already compromised.

However, on some older systems with broken implementations of the
setuid() family of functions, a root compromise may be possible with
certain configurations of rssh. Specifically, if rssh is configured
to use a chroot jail, it will exec() rssh_chroot_helper, which must be
setuid root in order to call chroot(). Normally, rssh_chroot_helper
calls setuid(getuid()) and drops privileges before any of the logging
functions are called, making a root compromise impossible on most
systems. However, some older systems which handle saved UIDs
improperly may be vulnerable to a root compromise. Linux in
particular is not vulnerable to this, nor should modern
POSIX-compliant Unix variants be. POSIX defines that the setuid()
system call will set all UIDs (UID, saved UID, and effective UID) the
specified UID if it is called with root privileges. Therefore in
general, a root compromise is not possible, and I am not specifically
aware of any systems on which one is possible.

The 2.2.2 release of rssh fixes this string format vulnerability. I
have also gone over the code to make sure that no other such
vulnerabilities exist. In addition to fixing this problem, rssh
contains some new code to help identify certain problems for debugging
problems when rssh fails. Additional logging of error conditions is
performed.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close